Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-09-2007, 10:28 AM
|
#1
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Rep:
|
HOWTO: Disable Single User Mode...
I have a box at work that for various reasons people have rebooted and tried to single user. I was curious if there is a 'good' way to disable single user completely. Should I really need to do something I could always chroot into the system.
Its Redhat Enterprise 4.. I have set the timeout in grub to 1 second, but someone who knows what they are doing can still get in.
The next thing I thought about is setting a runlevel 1 script /etc/rc.d/rc1.d/S02reboot or something that would reboot the server early in the startup process.
I was just curious if there is a better way than this.
Thanks
|
|
|
04-09-2007, 10:48 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
never disable it, just use a password under grub.
|
|
|
04-09-2007, 10:51 AM
|
#3
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
never disable it, just use a password under grub.
|
hehe well i do kinda agree with you but there shouldnt be any reason why i need it. My root password is set to a random string and can only be gained by logging in with specific users and su'ing.
Problem is that the other people at work who would be trying to login aren't stupid and can do most of the same things I can do.. They wouldn't goto the trouble to chroot into it.
I'll check out the pw option and see what it looks like.
Darvocet
----------------
RHCE #804007070224289
Last edited by Darvocet; 04-09-2007 at 10:53 AM.
|
|
|
04-09-2007, 11:29 AM
|
#4
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
I am however still interested in a good way to disable single user mode all together. I have added the grub password but wont be able to test it until tomorrow. Next steps are changing the boot order in bios to disable cd booting and setting a bios password.
Are there any additional thoughts on this?
|
|
|
04-09-2007, 11:33 AM
|
#5
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
how do you suppose to drop to a recovery shell if your filesystems became corrupted? really... don't. there is no good way, as it's not a good thign to want to do.
|
|
|
04-09-2007, 11:47 AM
|
#6
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
how do you suppose to drop to a recovery shell if your filesystems became corrupted? really... don't. there is no good way, as it's not a good thign to want to do.
|
Well for like maintenance mode that will automatically work if the filesystem is corrupted. That will happen in runlevel 3 on the normal boot. I dont have the root password anyways so that is not helpful.
I would have to use a rescue cd, and then chroot into the system, or fsck it from the rescue disk.
|
|
|
04-09-2007, 11:53 AM
|
#7
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
maintenance mode is runlevel 1.
|
|
|
04-09-2007, 11:58 AM
|
#8
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
maintenance mode is runlevel 1.
|
right right. But doesn't really matter if maintenance mode is disabled since the password is just a random 64 character string. Regardless if there is serious corruption then I would need to use a rescue image.
I'm thinking that if the corruption were bad enough to cause the system to not boot it wouldn't matter anyways. I do have the drives set to fsck, and on occasion fsck them but the data isn't necessarily important but I do take offsite backups.
It just runs down to the fact that I work at a major dedicated hosting facility. There are some people not very high up on the chain that I let use this box for various things, and it is stored in the same datacenter. The reason that this even started is that today I noticed that my 120 day uptime is now 3 days. Someone rebooted this server... I can see who logged in after so I'm sure I know who it is, and this person is now banned.
This one person isnt a linux idiot, but not a genius either. He has wanted to install java crap and other programs which I dont want on my server. He also has a tendancy to create directories and things where they shouldnt be.
I think in order for him to install some of the things he needed he single user'ed the box and installed. He of course could do the cd boot also, but I think this starts to be annoying and he would most likely give up.
My next step is to get the box moved into one of the core-cages to keep random people away from it. But I was just looking for a quick fix. The server is pretty stable has been running for over 2 years with very minimal maintenance or modifications.
I use /etc/sudoers and my personal user to gain root access. I set the password to a random string because it's not needed and to keep people out. After the reboot I changed it but still don't keep what it is anywhere.
Last edited by Darvocet; 04-09-2007 at 12:06 PM.
|
|
|
04-09-2007, 12:39 PM
|
#9
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797
|
You will never be able to prevent it as long as users have physical access. If they need access, they stick a Knoppix in, reboot and screw around in your system anyway.
If they need access, give them remote access.
[edit]oops, did nit read your last post[/edit]
Last edited by Wim Sturkenboom; 04-09-2007 at 12:41 PM.
|
|
|
06-20-2007, 01:56 PM
|
#10
|
LQ Newbie
Registered: Sep 2005
Location: Monroe, WI
Distribution: Slackware, Bluewhite64
Posts: 11
Rep:
|
Quote:
Originally Posted by Darvocet
I have a box at work that for various reasons people have rebooted and tried to single user. I was curious if there is a 'good' way to disable single user completely. Should I really need to do something I could always chroot into the system.
Its Redhat Enterprise 4.. I have set the timeout in grub to 1 second, but someone who knows what they are doing can still get in.
The next thing I thought about is setting a runlevel 1 script /etc/rc.d/rc1.d/S02reboot or something that would reboot the server early in the startup process.
I was just curious if there is a better way than this.
Thanks
|
Well, you probably don't want to disable it *completely*
How about forcing it to a login prompt.
Just add the following to /etc/inittab --
~:S:wait:/sbin/sulogin
usually placed above the lines for each runlevel
cheers!
Matt
|
|
|
07-19-2008, 11:06 AM
|
#11
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally Posted by axial
Well, you probably don't want to disable it *completely*
How about forcing it to a login prompt.
Just add the following to /etc/inittab --
~:S:wait:/sbin/sulogin
usually placed above the lines for each runlevel
cheers!
Matt
|
Awesome Matt thank you for that post. I've set the grub password and stuff so think it's pretty good but this was exactly what I was looking for.
|
|
|
All times are GMT -5. The time now is 08:39 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|