How to prevent single user mode from GRUB in debian?

[CorneelVanMoll]

We are students trying to create a custom live boot with Cubic, the application has been fantastic so far however we have come across an issue that seems more complex to fix.

We need to prevent users of the live system to access the single user mode as they should not be allowed to have root access.

What we tried:

• editing the /boot/grub/grub.cfg file in the options page boot tab; here we tried adding set timeout=0 and other potential fixes from the internet
• we also tried implementing the solution in How to install a custom grub theme? #199 with a preseed file
• tried editing /etc/default/grub and running update-grub however these both don't exist and as far as we know /etc/default/grub gets overwritten

Expected behavior

Users of the live system are not able to have root access without the root password.

OS Information (please complete the following information):

• OS/Distro Name:Debian-Gnome
• OS Version: Debian 12.5

Cubic Information (please complete the following information):

• Cubic Version: 2024.02.86
• ISO Customizing: debian-live-12.5.0-amd64-gnome.iso
• Download Link: https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.5.0-amd64-gnome.iso

Thanks in advance!

[PJ-Singh-001]

Do you want your end user to only interact with the Live Environment, or do you want to allow them to also be able to install the OS to the computer?

This is the Grub menu from the Live Environment. Is this what you want to control (or are you trying to control the Grub menu, after the OS is installed?)

Also do you want to prevent the user from selecting certain options from the above menu, or you want to prevent them from editing the options by pressing the e key?

[Wout-Motmans]

Do you want your end user to only interact with the Live Environment, or do you want to allow them to also be able to install the OS to the computer?

Do you want to prevent the user from selecting the "Rescue mode" option in Grub from the Live Environment, or do you want to prevent them from editing the grub options (by pressing e on the Grub menu)?

Hi, another student here working on the same project. First of all thanks for you quick response!

We are trying to create a live environment for end user to use straight from a USB-stick, so no installs are being done.
To prevent single-user mode, grub entries should indeed not be editable by pressing e or tab in the menu.

Skipping the grub-menu altogether and booting straight into the Live System would also be great. Both problems have to be fixed through grub configuration we believe.

Just so you have a concrete idea of what we are trying to do, these are the steps that we followed to successfully disable single-user boot and skip the boot menu (in a normal, non-live debian install):

# Ask, hash and set a root password
read -s -p "Enter password: " passw
HASHPW=$(echo -e "$passwd\n$passwd" | LC_ALL=C /usr/bin/grub-mkpasswd-pbkdf2 | awk '/hash of / {print $NF}')
echo "set superusers=root" | tee -a /etc/grub.d/40_custom
echo "password_pbkdf2 root $HASHPW" | tee -a /etc/grub.d/40_custom
sed -i '/^CLASS=/ s/"$/ --unrestricted"/' /etc/grub.d/10_linux

# Set the grub-menu timeout to 0 and disable it:
# We set GRUB_TIMEOUT=0 and add the line GRUB_DISABLE_SUBMENU=y to /etc/default/grub
sed -i '/GRUB_TIMEOUT/c\GRUB_TIMEOUT\=0' /etc/default/grub
sed -i '/GRUB_DEFAULT/iGRUB_DISABLE_SUBMENU\=y' /etc/default/grub

Thanks you so much!

[PJ-Singh-001]

First, you must understand there are two Grub menus you have to deal with.

1. The Grub menu the user sees when they log into an installed system.

   • Everything related to an installed system must be configured on the Terminal page in Cubic.
   • The commands you shared above would affect an installed system. However, once a system is installed, changes to Grub are overwritten by the installer. (There are techniques to overcome this issue, but based on your description, you are not interested in an installed system; you want to control the Live system only).

2. The Grub menu for the Live system is managed on the Boot tab of the Options page in Cubic.

   • You will need to remove the "Rescue mode" (and other non-essential menu items) from all of the boot files listed on this tab. (There are different files here, because they are used in different circumstances, depending on the hardware that the USB is booted onto).
   • You will also need to rename "Install" to something else, like "Try Our OS".
   • You should also remove the Debian installer (using apt remove on the Terminal page, since you do not want the user to ever install your customized OS).
   • However this does not prevent the user from pressing e or Tab, editing the Grub entry, and entering single user (Rescue) mode. I'll look into what can be done to prevent this. When is your project due?

   

[Wout-Motmans]

Hi

We have already been able to remove all menu entries except Live Mode successfully. Setting the Grub-Menu timeout to 0 or setting a password for editing grub-menu entries proved harder.

Our project is due in 4 days. However it is no big problem if we cannot figure it out so please do not feel pressed. Our research on the topic is more important than the final product we present.

Have a nice day!

[PJ-Singh-001]

Not sure this will work, but you might try simply removing the rescue.service file.

/usr/lib/systemd/system/rescue.service

Theoretically, if a person does edit the boot menu and enables rescue mode, it won't work.

(Of course, someone could reinstall this in the live environment, so if it does work, it may not be 100% fool proof).