How to Password Protect Single User Mode in CentOS 7

In one of our earlier articles, we described how to boot into single user mode on CentOS 7. It is also known as “maintenance mode”, where Linux only starts a handful of services for basic functionality to allow a single user (typically a superuser) perform certain administrative tasks such as using fsck to repair corrupted filesystems.

In single user mode, the system executes a single-user shell where you can run commands without any login credentials (username and password), you land straight in a limited shell with access to the entire filesystem.

This is a massive security hole since it gives intruders direct access to a shell (and possible access to the the entire filesystem). Therefore, it’s important to password protect the single user mode on CentOS 7 as explained below.

In CentOS/RHEL 7, the rescue and emergency targets (which are also single-user modes) are password protected by default.

For example when you try to change the target (runlevel) via systemd to rescue.target (also emergency.target), you will be asked for a root password as shown in the following screenshot.

# systemctl isolate rescue.target
OR
# systemctl isolate emergency.target
Single User Mode in CentOS 7
Single User Mode in CentOS 7

However, if an intruder has physical access to a server, he or she can select a kernel to boot from the grub menu item by pressing e key to edit the first boot option.

On the the kernel line that starts with “linux16“, he/she can change the argument ro to “rw init=/sysroot/bin/sh” and boot into single user mode on CentOS 7 without the system asking for a root password, even if the line SINGLE=/sbin/sushell is changed to SINGLE=/sbin/sulogin in the file /etc/sysconfig/init.

Change CentOS Boot Options
Change CentOS Boot Options

So, the only way to password protect single user mode in CentOS 7 is to protect GRUB with password using the following instructions.

How to Password Protect Grub in CentOS 7

First create a strong encrypted password using grub2-setpassword utility as shown.

# grub2-setpassword
Create Encrypted Password for GRUB
Create Encrypted Password for GRUB

The Hash for the password is stored in /boot/grub2/user.cfg & user i.e.”root” is defined in /boot/grub2/grub.cfg file, you can view the password using cat command as shown.

# cat /boot/grub2/user.cfg
GRUB Password
GRUB Password

Now open /boot/grub2/grub.cfg file and search for the boot entry that you want to password protect, it starts with menuentry. Once the entry is located, remove the --unrestricted parameter from it.

Password Protect Grub in CentOS 7
Password Protect Grub in CentOS 7

Save the file and close, now try to reboot the CentOS 7 system and modify the boot entries by pressing e key, you will be asked to provide the credentials as shown.

Password Protected Grub
Password Protected Grub
CentOS 7 Boot Configuration
CentOS 7 Boot Configuration

That’s it. You have successfully password protected your CentOS 7 GRUB-menu.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.