How to Password Protect Single User Mode in CentOS 7

Categories CentOS Leave a comment

In one of our earlier articles, we described how to boot into single user mode on CentOS 7. It is also known as “maintenance mode”, where Linux only starts a handful of services for basic functionality to allow a single user (typically a superuser) perform certain administrative tasks such as using fsck to repair corrupted filesystems.

In single user mode, the system executes a single-user shell where you can run commands without any login credentials (username and password), you land straight in a limited shell with access to the entire filesystem.

This is a massive security hole since it gives intruders direct access to a shell (and possible access to the the entire filesystem). Therefore, it’s important to password protect the single user mode on CentOS 7 as explained below.

In CentOS/RHEL 7, the rescue and emergency targets (which are also single-user modes) are password protected by default.

For example when you try to change the target (runlevel) via systemd to rescue.target (also emergency.target), you will be asked for a root password as shown in the following screenshot.

# systemctl isolate rescue.target
OR
# systemctl isolate emergency.target
Single User Mode in CentOS 7
Single User Mode in CentOS 7

However, if an intruder has physical access to a server, he or she can select a kernel to boot from the grub menu item by pressing e key to edit the first boot option.

On the the kernel line that starts with “linux16“, he/she can change the argument ro to “rw init=/sysroot/bin/sh” and boot into single user mode on CentOS 7 without the system asking for a root password, even if the line SINGLE=/sbin/sushell is changed to SINGLE=/sbin/sulogin in the file /etc/sysconfig/init.

Change CentOS Boot Options
Change CentOS Boot Options

So, the only way to password protect single user mode in CentOS 7 is to protect GRUB with password using the following instructions.

How to Password Protect Grub in CentOS 7

First create a strong encrypted password using grub2-setpassword utility as shown.

# grub2-setpassword
Create Encrypted Password for GRUB
Create Encrypted Password for GRUB

The Hash for the password is stored in /boot/grub2/user.cfg & user i.e.”root” is defined in /boot/grub2/grub.cfg file, you can view the password using cat command as shown.

# cat /boot/grub2/user.cfg
GRUB Password
GRUB Password

Now open /boot/grub2/grub.cfg file and search for the boot entry that you want to password protect, it starts with menuentry. Once the entry is located, remove the --unrestricted parameter from it.

Password Protect Grub in CentOS 7
Password Protect Grub in CentOS 7

Save the file and close, now try to reboot the CentOS 7 system and modify the boot entries by pressing e key, you will be asked to provide the credentials as shown.

Password Protected Grub
Password Protected Grub
CentOS 7 Boot Configuration
CentOS 7 Boot Configuration

That’s it. You have successfully password protected your CentOS 7 GRUB-menu.

Tutorial Feedback...
Was this article helpful? If you don't find this article helpful or found some outdated info, issue or a typo, do post your valuable feedback or suggestions in the comments to help improve this article...

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Related Posts

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.