I am trying to restrict the user to login single user mode, so that they cannot change the root password, in OPNsense firewall.
So what's your threat model?
Cheers,
Franco
Currently I am using OPNSense 23.7, user's are abled to change the root password using the single user mode, I want to prevent this.
Cheers,
Nitish
I'm not sure you know how this works.
In order to boot single user mode and modify things the user needs to be in front of the physical hardware with a keyboard and monitor attached. In case of a VM the user needs console access through the hypervisor.
I'm doubting both things are issues for you. And if you are worried about physical access you can lock the room the hardware is in. ;)
Cheers,
Franco
You can remove the 'secure' keyword from the console tty in '/etc/ttys'. It will then be necessary to provide the current root password to login to single user mode.
Anyway with physical access anyone could boot a live system from e.g. a USB drive, mount the root filesystem or ZFS pool and work from there.
So as @franco wrote, the only real option is to local the machine away.