0

I am on a Ubuntu 14.04 LTS machine with Mate desktop.

I am enrolled in a Stackskills course named "Linux security and hardening, the practical security guide".

The first security issue mentioned in the physical security section is about Single User Mode: it is said that if someone has physical access to a machine can toggle Single User Mode to login as root directly, without password.

Then it is explained that for systems like Ubuntu 16.04 and following that use systemd instead of init to control the system initialization process it is necessary to edit /lib/systemd/system/emergency.service and /lib/systemd/system/rescue.service, changing sushell in sulogin.

However Ubuntu 14.04 LTS does not use these files, because it uses Upstart instead of systemd. What files should I look at?

How can I force anyone who tries to log in with Single User Mode to enter the root password?

Ravexina
  • 54,268
  • 25
  • 157
  • 179
Asarluhi
  • 1,477
  • 3
  • 14
  • 33
  • 1
    There is no way to protect a system against a user who has physical access. You can protect data by encryption. – Pilot6 Aug 15 '17 at 14:13
  • "How can I force anyone who try to login with Single User Mode to require root password?" Best to forget about this question. You can't. Heck physical access means being allows to format the disk anyways. Use encryption if you want to protect your data; all other things you come up with are just a hindrance to you and not useful. – Rinzwind Aug 15 '17 at 14:18
  • 3
    Possible duplicate of [Is Ubuntu 14.04 using systemd?](https://askubuntu.com/questions/490946/is-ubuntu-14-04-using-systemd) – muru Aug 15 '17 at 14:52
  • Not a duplicate, as explained by my edits in the original message. The question is: what files should I edit in Ubuntu 14.04 LTS? – Asarluhi Aug 15 '17 at 14:55
  • Even if you do require root password for single user mode, someone can simply use `init=/bin/bash` or any other shell and get root shell access that way. – NerdOfLinux Aug 15 '17 at 14:58
  • @Ravexina already warned me about that. However my initial question still remain: how can I enable/disable root password for Single User Mode in Ubuntu 14.04 LTS? – Asarluhi Aug 15 '17 at 15:04

1 Answers1

3

When system is booting into "single user mode" or "1", also in systemd known as rescue.target, you are actually logging-in using "root" user to fix the system issues with the highest rights a user have.

So if you want to Ubuntu ask you for a password while booting into "single user mode", then you have to set a password for "root" user:

sudo passwd root

However, when you have physical access to a system, you can almost do whatever you want with that system, for example instead of using "single user mode", while booting I can send a parameter like: init=/bin/bash to the Kernel and reset the "root" password.

So the best option is to encrypt the system and locking down the room.

To address the question about files, you have to install a version which comes with systemd, Ubuntu 16.04 and above are the ones with support at the time.

Ravexina
  • 54,268
  • 25
  • 157
  • 179
  • The course lesson I was talking about claims that when you boot as `rescue.target` or `single user mode`, by default you are not required a password _even if you have already set one_. This behaviour can be changed by editing the files mentioned in my original message, so that you log in as root but you need to enter your password. It is said that some distributions already prevent from booting into `single user mode` without password. Of course I will also encrypt the system, but I still have to study this topic. – Asarluhi Aug 15 '17 at 14:26
  • 1
    @Asarluhi as far as I know at least in Ubuntu, when root has a password it will ask you for entering the password. if you want to work with those files you have to install Ubuntu 16.04 or higher versions which uses systemd. – Ravexina Aug 15 '17 at 14:32
  • I just checked and it is true, Ubuntu 14.04 does not use neither init or systemd, but it uses Upstart, which is not considered in my course. – Asarluhi Aug 15 '17 at 14:44
  • 1
    Yeah, I also updated the answer to address your question about the files. – Ravexina Aug 15 '17 at 14:48