Most Linux Systems allow you to boot in Single User Mode (also called Maintenance Mode) whereby only a few minimum number of device drivers and services are loaded during system boot to allow a single user (mostly superuser) to do trouble shooting or perform administrative tasks such as repairing corrupted filesystems. In single user mode, users are logged into a terminal shell without login where they can run commands to perform required tasks. This is a limited shell but has access to entire filesystem. As you can understand, this can be a possible security issue since it allows user to access the entire filesystem via shell, without any login credentials. Therefore it is essential to password protect single user mode and prevent unauthorized access. In this article, we will learn how to set password for single user mode in Linux.
How to Set Password for Single User Mode in Linux
In RHEL/CentOS, some parts of single user mode are password protected while the rest are not. For example, rescue and emergency targets are password protected. If you run the following commands to modify rescue or emergency targets, you will be asked for root password.
# systemctl isolate rescue.target OR # systemctl isolate emergency.target
However, if an unauthorized user has access to the server, they can select the kernel to boot from GRUB menu just by entering ‘e’ to edit the first boot option. By changing ro to “rw init=/sysroot/bin/sh” as shown in the screenshot below, user can boot into single user mode without requiring root password.
So it is important to add password to GRUB to protect the single user mode in RHEL/CentOS systems.
To do this, create a strong encrypted password using grub2-setpassword utility. When you enter the following command you will be asked for password for GRUB, twice.
# grub2-setpassword
The hash for password is stored at /boot/grub2/user.cfg and user is defined in /boot/grub2/grub.cfg. So you can view the password hash using the following command.
# cat /boot/grub2/user.cfg
Open /boot/grub2/grub.cfg file and search for the boot entry, which starts with menuentry. Once you have located it, remove –unrestricted parameter from it.
Save and close the file. Now reboot the system and try to modify the boot entries by entering ‘e’ key. You will be prompted for password.
In this article, we have learnt how to password protect single user mode in CentOS/RHEL by setting password for GRUB. It is important to password protect single user mode so that only authorized users can access it.
Also read:
How to Change Kernel Parameters At Runtime
How to Install Kernel Headers in RHEL/CentOS
How to Install Kernel Headers in Ubuntu & Debian
How to Migrate from GitHub to BitBucket
How to Transfer All MySQL Databases from One Server to Another
Related posts:
Linux Rename File with Special Characters
How to Create Swap Space in Ubuntu/Debian
How to Enable & Disable Services in Linux
How to Remove Yum Repositories
How to Set or Change Timezone in Ubuntu
How to Merge Folders & Directories in Linux
How to Restore Deleted Tmp Directory in Linux
How to Disable su Access to Sudo in Linux
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.