Adsense Leaderboard Ad

7.31.2013

Password Protect Single User Mode in Red Hat or CentOS

Allowing access to single user mode in Linux is a major security risk. Setting it to require the root password before booting into single user mode is a good idea.

How to require password for single user mode in CentOS 5 / RedHat 5:
Insert the following line to /etc/inittab file above the line containing initdefault.
su:S:wait:/sbin/sulogin
NOTE: it must be above the link with initdefault in order to work. Example:
# Password requires for single user mode.
su:S:wait:/sbin/sulogin
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:

How to require password for single user mode in CentOS 6 / RedHat 6:
Edit the file /etc/sysconfig/init and change the following line:
SINGLE=/sbin/sushell
to
SINGLE=/sbin/sulogin


NOTE: You can also use sed to change the file like so:
sed -i 's/SINGLE=\/sbin\/sushell/SINGLE=\/sbin\/sulogin/' /etc/sysconfig/init

6 comments:

  1. I was working with this on a RHEL5 box and had a script to just append '~:S:wait:/sbin/sulogin' to the end of /etc/inittab and it seems to work the same no matter where in the file I put it.

    Not sure if this could be from a later update, but figured I'd let you know as an FYI.

    Also, thanks for the RHEL6 info as I had not realized that the syntax was different. That will certainly help as I make these changes!

    ReplyDelete
  2. Sir what are the advantages to password Protect Single User Mode....

    ReplyDelete
    Replies
    1. Password protecting single user mode is one way to stop someone who has physical access to the machine does not get elavated privileges without the root password.

      Delete
    2. If someone with bad intention can access your machine physically and get to Single User mode, the device is no longer yours cause he can get root privileges and do many damage to your system.

      Delete
  3. What are the advantages of password protecting Single User Mode over Password Protecting the GRUB boot loader?

    ReplyDelete
    Replies
    1. They are two different things, but have similar functions. If you password protect grub bootloader, this will stop someone from entering single user mode without the grub password. It will also prevent other configuration changes in the bootloader. If you use a single user mode password, it will only require a password when trying to enter single user mode, but will still allow bootloader configuration changes.

      Delete