grub - avoid editing and getting into single user

How can I prevent users from editing the grub command line and appending the word single to the kernel boot line and thus enabling to get users into su privileged mode? Running RH 8.0 (in this case).

I put a lock line after the title in grub.conf and also a

try 'password

No. A misfortune (of choosing RedHat). Not many people understand the decision (even though some argued for it when I asked in the other group). It's not difficult to change, but to my view leaves a bad taste of Linux especially to many Windoze converts.

Yuan Liu

Can you give the remedy here to change that behaviour?

Argh, password, not passwd. Tsk.

In Slackware and gang, the RC script for single user mode makes a call to sulogin. RedHat uses a Sun-like init, but the behaviour can still be modified with RC script. However, I did some google and someone is suggesting a fix in init.

This said, all pointers say when you lose physical security, all defense are off, even grub password (or BIOS password for that matter). But all defense is a deterrant. Doesn't hurt to have another - as long as you don't fall for false sense of security. The ultimate shock from googling? A no-brainer formula to defeat root password: init=/bin/sh passed as kernel parameter.

Turns out kernel has no love for /sbin/init. So if you expect your users to know some grub, don't even bother 'fixing' init. (No matter which distro.)

Yuan Liu

Thanks for the insights