OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: nitish.patel on September 15, 2023, 09:08:51 AM

Title: How to restrict single user mode?
Post by: nitish.patel on September 15, 2023, 09:08:51 AM
I am trying to restrict the user to login single user mode, so that they cannot change the root password, in OPNsense firewall.
Title: Re: How to restrict single user mode?
Post by: franco on September 15, 2023, 09:25:28 AM
So what's your threat model?


Cheers,
Franco
Title: Re: How to restrict single user mode?
Post by: nitish.patel on September 15, 2023, 09:33:10 AM
Currently I am using OPNSense 23.7, user's are abled to change the root password using the single user mode, I want to prevent this.

Cheers,
Nitish
Title: Re: How to restrict single user mode?
Post by: franco on September 15, 2023, 09:46:46 AM
I'm not sure you know how this works.

In order to boot single user mode and modify things the user needs to be in front of the physical hardware with a keyboard and monitor attached. In case of a VM the user needs console access through the hypervisor.

I'm doubting both things are issues for you. And if you are worried about physical access you can lock the room the hardware is in. ;)


Cheers,
Franco
Title: Re: How to restrict single user mode?
Post by: Patrick M. Hausen on September 15, 2023, 12:35:33 PM
You can remove the 'secure' keyword from the console tty in '/etc/ttys'. It will then be necessary to provide the current root password to login to single user mode.

Anyway with physical access anyone could boot a live system from e.g. a USB drive, mount the root filesystem or ZFS pool and work from there.

So as @franco wrote, the only real option is to local the machine away.