Author Topic: How to restrict single user mode? (Read 1029 times)

nitish.patel · « **on:** September 15, 2023, 09:08:51 am »

I am trying to restrict the user to login single user mode, so that they cannot change the root password, in OPNsense firewall.

franco · « **Reply #1 on:** September 15, 2023, 09:25:28 am »

So what's your threat model?

Cheers,
Franco

nitish.patel · « **Reply #2 on:** September 15, 2023, 09:33:10 am »

Currently I am using OPNSense 23.7, user's are abled to change the root password using the single user mode, I want to prevent this.

Cheers,
Nitish

franco · « **Reply #3 on:** September 15, 2023, 09:46:46 am »

I'm not sure you know how this works.

In order to boot single user mode and modify things the user needs to be in front of the physical hardware with a keyboard and monitor attached. In case of a VM the user needs console access through the hypervisor.

I'm doubting both things are issues for you. And if you are worried about physical access you can lock the room the hardware is in.

Cheers,
Franco

Patrick M. Hausen · « **Reply #4 on:** September 15, 2023, 12:35:33 pm »

You can remove the 'secure' keyword from the console tty in '/etc/ttys'. It will then be necessary to provide the current root password to login to single user mode.

Anyway with physical access anyone could boot a live system from e.g. a USB drive, mount the root filesystem or ZFS pool and work from there.

So as @franco wrote, the only real option is to local the machine away.

Author Topic: How to restrict single user mode? (Read 1029 times)

nitish.patel

How to restrict single user mode?

franco

Re: How to restrict single user mode?

nitish.patel

Re: How to restrict single user mode?

franco

Re: How to restrict single user mode?

Patrick M. Hausen

Re: How to restrict single user mode?