How to Password Protect Single User Mode in CentOS 8?

Single User Mode in CentOS 8 is a powerful maintenance mode that allows system administrators to troubleshoot and perform critical tasks. However, it grants unrestricted root access without authentication, creating a significant security vulnerability. Anyone with physical access can gain full control of the system by booting into this mode.

This guide demonstrates how to password protect single user mode by configuring the GRUB bootloader with authentication requirements, ensuring only authorized users can access this privileged mode.

Understanding Single User Mode

Single user mode (also called rescue mode or maintenance mode) boots the system with minimal services and provides direct root shell access. This environment is essential for

• Recovering from boot failures

• Resetting forgotten passwords

• Repairing file system corruption

• Fixing critical system configuration issues

Without protection, any user with physical access can interrupt the boot process and gain root privileges, bypassing all normal authentication mechanisms.

Configuring GRUB Password Protection

Step 1: Generate Password Hash

First, generate a secure password hash using the GRUB utility

grub2-mkpasswd-pbkdf2

Enter your desired password when prompted. The utility will output a hash similar to

grub.pbkdf2.sha512.10000.9AC39BA5E5A0F6AC...

Copy this entire hash for the next step.

Step 2: Configure GRUB Authentication

Edit the GRUB custom configuration file

sudo nano /etc/grub.d/40_custom

Add these lines at the end of the file

set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.9AC39BA5E5A0F6AC...

Replace the hash with your generated value. The superusers line defines who can access protected menu entries, while password_pbkdf2 sets the authentication credentials.

Step 3: Update GRUB Configuration

Regenerate the GRUB configuration to apply changes

sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Restricting Recovery Mode Access

To completely disable the recovery mode option in GRUB, edit the default configuration

sudo nano /etc/default/grub

Add or modify this line

GRUB_DISABLE_RECOVERY="true"

Update GRUB again to apply the changes

sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Testing the Configuration

Reboot your system to test the password protection

sudo reboot

During boot, when you try to access single user mode or modify boot parameters, GRUB will prompt for authentication. Only users with the correct password can proceed.

Security Best Practices

Beyond protecting single user mode, implement these additional security measures

• Physical Security Secure server rooms and workstations to prevent unauthorized physical access

• Strong Passwords Use complex passwords with mixed case, numbers, and special characters

• Regular Updates Apply security patches promptly using dnf update

• SELinux Keep SELinux enforcing mode enabled for mandatory access controls

• Firewall Rules Configure firewalld to restrict network access to essential services only

Troubleshooting

If you forget the GRUB password, you can recover by

• Booting from a CentOS 8 rescue disk

• Mounting the system partition

• Editing /etc/grub.d/40_custom to remove or modify the password lines

• Regenerating the GRUB configuration

Conclusion

Password protecting single user mode in CentOS 8 significantly enhances system security by preventing unauthorized root access through physical boot manipulation. Combined with other security measures like strong authentication, regular updates, and proper firewall configuration, this creates a robust defense against both physical and network-based attacks.