Home / ubuntu / Questions / 114953
Accepted
Tomas Aschan
Asked: 2012-03-22 16:03:02 +0800 CST

How do I demand a password on single user mode?

  • 772

I have learned that I can boot into single user mode (or whatever it's called) by hitting Ctrl+e in the Grub2 menu and adding single to the correct line in the boot script. This is all good - it's saved me a bunch of times when I screwed something up :P

However, I've noticed that when I do this, I get root access basically for free - I never have to enter a password or otherwise prove my identity. This feels unsafe - the keyboard command to edit the boot script is common knowledge, so anyone with access to my computer can just turn it off (forcibly, if needed, via the power button) and on again, edit the boot script and have root access to my computer.

I don't want that.

What do I need to configure in order to force a password for single user sessions?

(I'ts probably not relevant, but I've set my startup options so that I boot straight into the desktop, skipping the login screen. This is OK, since I still need to type a password to sudo, but I don't like the idea of giving anyone root access that easily...)

boot root 11.10

3 Answers

  1. Best Answer

    If you set a password for the root user, that password will be required also to login in single-user-mode.

    • 4

  2. There is a fairly thorough guide on adding a password to grub on UbuntuForums.

    There are probably other options tailored toward the single user prompt but however you handle things there, it's not really security. Somebody could just stick a Live stick or CD in and they suddenly have root access and all your data. Or the could pull the disk (takes seconds) and plug it into another computer.

    Let's be paranoid for a minute. Consider how long it would take to:

    • Take the side off your computer,
    • Remove the cables from the drive,
    • Plug in a SATA->USB adapter to bridge the drive to a laptop,
    • Mount the drive
    • Change whatever you want
    • Unmount and replace original cables and PC case.

    With physical access, I reckon I could access your data and disappear within two minutes. Perhaps a little longer if it's a laptop with 200 screws between me and the disk. If you're carrying valuable, sensitive data around (or leaving it on an unattended desktop), that should be a scary thought.

    The best deterrent is full disk encryption via something like LUKS:

    Even if somebody tries something, it's a nightmare to decode (remember that if you don't do backups - standard data-recovery techniques will not work). They won't have time to do anything on site, a disk clone takes hours for most disks and even if they just lift the disk, that gives you the opportunity to run around changing passwords, accounts, etc that may be made insecure by the data on that disk.

    • 3

  3. Full disk encryption with a key-file on a thumbdrive would do it as long as you don't leave it plugged in.

    Locking grub is covered here. I don't believe in locking grub since all it takes is a live DVD/CD/Thumbdrive.

    • 0