How to restrict single user mode?

Started by nitish.patel, September 15, 2023, 09:08:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 15, 2023, 09:08:51 AM
I am trying to restrict the user to login single user mode, so that they cannot change the root password, in OPNsense firewall.
September 15, 2023, 09:25:28 AM #1
So what's your threat model?


Cheers,
Franco
September 15, 2023, 09:33:10 AM #2
Currently I am using OPNSense 23.7, user's are abled to change the root password using the single user mode, I want to prevent this.

Cheers,
Nitish
September 15, 2023, 09:46:46 AM #3
I'm not sure you know how this works.

In order to boot single user mode and modify things the user needs to be in front of the physical hardware with a keyboard and monitor attached. In case of a VM the user needs console access through the hypervisor.

I'm doubting both things are issues for you. And if you are worried about physical access you can lock the room the hardware is in. ;)


Cheers,
Franco
September 15, 2023, 12:35:33 PM #4
You can remove the 'secure' keyword from the console tty in '/etc/ttys'. It will then be necessary to provide the current root password to login to single user mode.

Anyway with physical access anyone could boot a live system from e.g. a USB drive, mount the root filesystem or ZFS pool and work from there.

So as @franco wrote, the only real option is to local the machine away.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions