Is there anyway to protect root password. As people know to change root password through single user mode. How can protect that no one can change password of my machine through single user mode.
Physical access to your system is control over your system. Prevent single-user mode, and they can boot to a different OS, or pull the drive and mount it on another system, and change your password on the filesystem.
Encryption is the only way to prevent access to your data when someone can physically touch the machine. And even then, it's not bulletproof.
However, If you are in an environment when people can access your machine without restrictions, then you have a problem with onsite security that you need to address. Short of encrypting your drive, your data will always have that risk of being physically compromised.
While @ShaneMadden really hits on the core problem here, that given physical access all bets are off. Your next best bet would be to require password logins for single user mode. You can enable this by adding the following line to your /etc/inittab file.
~~:S:wait:/sbin/sulogin
Afterwards, whenever one enters into single user mode, the user is prompted for the root password instead of simply being dropped into a root shell.
Just keep in mind that this would simply be a protection within your security plan.
Physical access to your system is control over your system. Prevent single-user mode, and they can boot to a different OS, or pull the drive and mount it on another system, and change your password on the filesystem.
Encryption is the only way to prevent access to your data when someone can physically touch the machine. And even then, it's not bulletproof.
You can password protect grub so that people can't boot as a single user:
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s3-bootloader-grub.html
However, If you are in an environment when people can access your machine without restrictions, then you have a problem with onsite security that you need to address. Short of encrypting your drive, your data will always have that risk of being physically compromised.
While @ShaneMadden really hits on the core problem here, that given physical access all bets are off. Your next best bet would be to require password logins for single user mode. You can enable this by adding the following line to your
/etc/inittabfile.Afterwards, whenever one enters into single user mode, the user is prompted for the root password instead of simply being dropped into a root shell.
Just keep in mind that this would simply be a protection within your security plan.