Voozh

In one of our earlier articles, we described how to boot into single user mode on CentOS 7. It is also known as “maintenance mode”, where Linux only starts a handful of services for basic functionality to allow a single user (typically a superuser) perform certain administrative tasks such as using fsck to repair corrupted filesystems.

In single user mode, the system executes a single-user shell where you can run commands without any login credentials (username and password), you land straight in a limited shell with access to the entire filesystem.

This is a massive security hole since it gives intruders direct access to a shell (and possible access to the the entire filesystem). Therefore, it’s important to password protect the single user mode on CentOS 7 as explained below.

In CentOS/RHEL 7, the rescue and emergency targets (which are also single-user modes) are password protected by default.

For example when you try to change the target (runlevel) via systemd to rescue.target (also emergency.target), you will be asked for a root password as shown in the following screenshot.

# systemctl isolate rescue.target
OR
# systemctl isolate emergency.target

👁 Single User Mode in CentOS 7

Single User Mode in CentOS 7

However, if an intruder has physical access to a server, he or she can select a kernel to boot from the grub menu item by pressing e key to edit the first boot option.

On the the kernel line that starts with “linux16“, he/she can change the argument ro to “rw init=/sysroot/bin/sh” and boot into single user mode on CentOS 7 without the system asking for a root password, even if the line SINGLE=/sbin/sushell is changed to SINGLE=/sbin/sulogin in the file /etc/sysconfig/init.

👁 Change CentOS Boot Options

Change CentOS Boot Options

So, the only way to password protect single user mode in CentOS 7 is to protect GRUB with password using the following instructions.

How to Password Protect Grub in CentOS 7

First create a strong encrypted password using grub2-setpassword utility as shown.

# grub2-setpassword

👁 Create Encrypted Password for GRUB

Create Encrypted Password for GRUB

The Hash for the password is stored in /boot/grub2/user.cfg & user i.e.”root” is defined in /boot/grub2/grub.cfg file, you can view the password using cat command as shown.

# cat /boot/grub2/user.cfg

👁 GRUB Password

GRUB Password

Now open /boot/grub2/grub.cfg file and search for the boot entry that you want to password protect, it starts with menuentry. Once the entry is located, remove the --unrestricted parameter from it.

👁 Password Protect Grub in CentOS 7

Password Protect Grub in CentOS 7

Save the file and close, now try to reboot the CentOS 7 system and modify the boot entries by pressing e key, you will be asked to provide the credentials as shown.

👁 Password Protected Grub

Password Protected Grub

👁 CentOS 7 Boot Configuration

CentOS 7 Boot Configuration

That’s it. You have successfully password protected your CentOS 7 GRUB-menu.

If this article helped, share it with someone on your team.

TecMint Weekly Newsletter

Get the Learn Linux 7 Days Crash Course free when you join 34,000+ Linux professionals reading every Thursday.

Check your email for a magic link to get started.

Something went wrong. Please try again.

☕

TecMint has been free for 14 years. Help keep it that way.

Google AI Overviews and tools like ChatGPT have cut into search traffic for independent tech sites like TecMint. Running this site costs over $2,000 every month for hosting, infrastructure, and paying authors to keep the content accurate and tested.

If this article helped you solve a problem, consider buying a coffee. It helps keep TecMint free, supports the authors, and keeps the project going.

☕ Buy Me a Coffee

URL: https://www.tecmint.com/password-protect-single-user-mode-in-centos-7/

⇱ How to Password Protect Single User Mode in CentOS 7

How to Password Protect Grub in CentOS 7

Related Posts

Got Something to Say? Join the Discussion... Cancel reply