# No password when passing single as kernel option in grub

## infirit

When adding "single" to the kernel options i'm getting a single user, i think root, sh shell? No root password was asked ? I could browse all my mount points in fstab that where aoutomounted. 

Is this a bug? or am i missing something?

Thanks

Sander

[edit]I'm not having problems with grub but i get to the point where rc starts.[/edit]

----------

## moocha

No, this is a feature, not a bug. Works as designed. As the grub documentation points out, you should use the password command in grub.conf (always use the MD5 hashes - password --md5). Grub will normally only ask for a password when you want to pass additional command line parameters to the kernel.

----------

## infirit

Sorry i was not clear enough in my first post   :Embarassed: 

Im not having problems with grub, i don not want a grub password. I give the following option to the kernel: kernel (hd1,0)/vmlinuz-2.6.5-spa1 root=/dev/hda5 gentoo=nodevfs vga=791 ide=reverse single

When the kernel part of the boot is finished i get an shell where i would first expect to give my root password and then giving me the shell.

----------

## moocha

Yes, that's perfectly clear. And it's also perfectly reasonable that you wouldn't get prompted for the root password.

Some distributions use the sulogin command to prompt you for the root password in this case instead of just running the shell. But without a password protected bootloader that's not secure at all. All it does is annoy you with a password prompt. If someone is able to get physical access to the console (and they need it, otherwise they couldn't use single user mode) they can always use the init kernel parameter, which tells the kernel where to find the init program (put init=/bin/bash instead of single on the kernel command line to demonstrate that). So you'd get a root shell again (just that no init script is run, since "init" (the process with PID 1) is now /bin/bash instead of /sbin/init, and /bin/bash doesn't know anything about /etc/inittab, which is where the init scripts are launched). Only that you can't prevent anyone from getting this type of root shell (except by modifying the kernel source and recompiling the kernel). This is the way init works.

To summarize: Yes, single will get you a passwordless root shell on the local machine. No, there's absolutely no point in insisting on having a password-protected login in this scenario, because all it does is lull you into a false sense of security. Yes, you want a grub password. Again, you will almost never be prompted for the grub password. Grub only asks for it when you want to modify the kernel command line, or access the grub console. For normal boots you won't get prompted for it.

----------

## infirit

Thanks for the explanation   :Very Happy: 

----------

## moocha

Most welcome  :Smile: 

----------

