I have a box at work that for various reasons people have rebooted and tried to single user. I was curious if there is a 'good' way to disable single user completely. Should I really need to do something I could always chroot into the system.

Its Redhat Enterprise 4.. I have set the timeout in grub to 1 second, but someone who knows what they are doing can still get in.

The next thing I thought about is setting a runlevel 1 script /etc/rc.d/rc1.d/S02reboot or something that would reboot the server early in the startup process.

I was just curious if there is a better way than this.

Thanks

never disable it, just use a password under grub.

hehe well i do kinda agree with you but there shouldnt be any reason why i need it. My root password is set to a random string and can only be gained by logging in with specific users and su'ing.

Problem is that the other people at work who would be trying to login aren't stupid and can do most of the same things I can do.. They wouldn't goto the trouble to chroot into it.

I'll check out the pw option and see what it looks like.

Darvocet
----------------
RHCE #804007070224289

I am however still interested in a good way to disable single user mode all together. I have added the grub password but wont be able to test it until tomorrow. Next steps are changing the boot order in bios to disable cd booting and setting a bios password.

Are there any additional thoughts on this?

how do you suppose to drop to a recovery shell if your filesystems became corrupted? really... don't. there is no good way, as it's not a good thign to want to do.

Well for like maintenance mode that will automatically work if the filesystem is corrupted. That will happen in runlevel 3 on the normal boot. I dont have the root password anyways so that is not helpful.

I would have to use a rescue cd, and then chroot into the system, or fsck it from the rescue disk.

maintenance mode is runlevel 1.

right right. But doesn't really matter if maintenance mode is disabled since the password is just a random 64 character string. Regardless if there is serious corruption then I would need to use a rescue image.

I'm thinking that if the corruption were bad enough to cause the system to not boot it wouldn't matter anyways. I do have the drives set to fsck, and on occasion fsck them but the data isn't necessarily important but I do take offsite backups.

It just runs down to the fact that I work at a major dedicated hosting facility. There are some people not very high up on the chain that I let use this box for various things, and it is stored in the same datacenter. The reason that this even started is that today I noticed that my 120 day uptime is now 3 days. Someone rebooted this server... I can see who logged in after so I'm sure I know who it is, and this person is now banned.

This one person isnt a linux idiot, but not a genius either. He has wanted to install java crap and other programs which I dont want on my server. He also has a tendancy to create directories and things where they shouldnt be.

I think in order for him to install some of the things he needed he single user'ed the box and installed. He of course could do the cd boot also, but I think this starts to be annoying and he would most likely give up.

My next step is to get the box moved into one of the core-cages to keep random people away from it. But I was just looking for a quick fix. The server is pretty stable has been running for over 2 years with very minimal maintenance or modifications.

I use /etc/sudoers and my personal user to gain root access. I set the password to a random string because it's not needed and to keep people out. After the reboot I changed it but still don't keep what it is anywhere.

You will never be able to prevent it as long as users have physical access. If they need access, they stick a Knoppix in, reboot and screw around in your system anyway.

If they need access, give them remote access.

[edit]oops, did nit read your last post[/edit]

Well, you probably don't want to disable it *completely*
How about forcing it to a login prompt.
Just add the following to /etc/inittab --

~:S:wait:/sbin/sulogin

usually placed above the lines for each runlevel

cheers!

Matt

Awesome Matt thank you for that post. I've set the grub password and stuff so think it's pretty good but this was exactly what I was looking for.