Linux Security 101: 4. Physical Security: Single User Mode

in #security7 years ago (edited)

For the next couple of parts, we will start examining in practice a couple of ways we can increase our machine's Physical Security. In this article we will secure the system's Single User Mode.


Previous parts:

1. Introduction
2. General Principles and Guidelines
3. Physical Security: Intro


Single user mode

One of the easiest ways, is to boot the system in "single user mode". Most Linux distros by default do not require the root user's password to start in single user mode. You can use the power button to shutdown and then restart the machine. This can also be done by temporarily cutting the power supply, or by simply having access to the host node if your server is a virtual machine (VPS)

It is very easy to do this and you'll have root access, which will allow you to do ANYTHING on the target system. Just press the "Shift" key on your keyboard at the POST screen, to interupt the GRUB boot process. (By the way, GRUB bootloader is the most commonly used bootloader.)

Press the key e when you have selected the Ubuntu grub entry, and locate the line starting with "linux". Just add a lowercase "s", or an uppercase "S" or the number 1 at the end of the line, just like I did to demonstrate for you in the video below.

This will make linux start on the "single user" runlevel. As an alternative, and if the target system uses "systemd", you can use systemd.unit=rescue.target, or simply rescue. Then press on your keyboard Control+X and you are ready to go. In a few seconds you'll have full access to the system! This is "patched" in some more modern releases.

init-based systems:

If your distro is init-based, edit /etc/sysconfig/init, locate the line starting with SINGLE= and change it to this:

SINGLE=/sbin/sulogin


Save, exit and restart your machine.

systemd-based systems:

If you have a systemd-based system (most recent CentOS, Redhat, Ubuntu etc distros), you'll have to inspect 2 files inside /lib/systemd/system: emergency.service and rescue.service

cd /lib/systemd/system
nano emergency.service

Locate the line ExecStart=... and take a note. If you see /sbin/sushell mentioned, change it to /sbin/sulogin.

Save the file and exit. Then do the same for rescue.service.


What's the difference between "/sbin/sushell" and "/sbin/sulogin"?

sushell is instructing the system to open a shell with superuser privileges (root user), while "sulogin" does the same but after the user supplies the correct password.


The ubuntu paradox

Ubuntu won't ask you to set a root account password. Even if you have done the above modifications, you will just get a free pass to the system. The fix is very quick and simple. In your terminal as root type passwd, and set the password. Boot the system in single user mode as I wrote above, and you will get asked for a password. Newer versions of Ubuntu may have "sulogin" by default, so you can just start with setting your root password!


It was very easy to edit the bootloader and boot into single user mode. We secured our system a little bit. In the next part, we will secure our bootloader! Article available here!

Original Image


Craving for more? Until the next part is available, have a look at my Server 101 series:


Also, I am running a witness server.

Please consider voting me, dimitrisp, for a witness if you find what I post & do helpful and add value to the network

You can read my witness declaration here

Sort:  

Informative and very comprehensive stuff you share