User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: single-user mode on pi + debian wheezy?

Tue May 05, 2015 10:29 pm

electronicsguy wrote:Let me put it this way - what specific purpose is being served by having the capability to modify kernel parameters already baked in, in the Raspbian distro, for its users?
There is no general ability to modify kernel parameters. To edit /boot/cmdline.txt you must either already have root access, or the ability to physically swap the card. It only takes effect on the next boot too, so you already have the greatest possible denial of service capability.

Since this thread will not die, may I at least point out that init=shell is not what is properly called single-user mode. Single-user mode is when you add "single" to cmdline, or otherwise boot or transition into runlevel 1 or S. You have almost no background daemons started, and only root may login, on console. If a root password is set, it is normally required to be entered.

init=/bin/bash might be better called "single-process mode". The init system, and runlevels, and init scripts are skipped completely, and a root shell is launched instead. Even important pseudo-filesystems like /dev and /proc and /sys are not mounted, so many normal commands will fail. Job control is not available.

User avatar
electronicsguy
Posts: 156
Joined: Wed Jan 21, 2015 11:20 pm
Contact: Website

Re: single-user mode on pi + debian wheezy?

Tue May 05, 2015 10:44 pm

jojopi wrote:
electronicsguy wrote:Let me put it this way - what specific purpose is being served by having the capability to modify kernel parameters already baked in, in the Raspbian distro, for its users?
There is no general ability to modify kernel parameters. To edit /boot/cmdline.txt you must either already have root access, or the ability to physically swap the card. It only takes effect on the next boot too, so you already have the greatest possible denial of service capability.
I don't think this is true with NOOBS. I am able to login into recovery mode in noobs, edit the cmdline parameters and enter into single user/process mode and change the root password without knowing it.

So if I'm a user who doesn't care about fixing the system if it cannot even boot, and I don't want someone who has physical access to it to stealthily view some data (without taking out the SD card) or change root password (just mischief), what can be done? The link I posted previously talks about securing the grub bootloader, but I guess that doesn't apply to the Pi?
blog: https://electronicsguy.wordpress.com
github: https://github.com/electronicsguy

User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: single-user mode on pi + debian wheezy?

Tue May 05, 2015 11:33 pm

electronicsguy wrote:I don't think this is true with NOOBS. I am able to login into recovery mode in noobs, edit the cmdline parameters and enter into single user/process mode and change the root password without knowing it.
But still you needed physical access to the console, and the ability to force a reboot. If you had physical access you could just swap the SD card instead.

If you keep the Pi in a locked box, but present the keyboard to the public, then you are in a very special situation where you may need to change from the default configuration.

PC bootloaders often allow interactive editing of the kernel command line. Again, this requires physical access at the time of boot. Most bootloaders can be password protected. The Pi's bootloader is not interactive at all, so if anything it is more secure than that on a PC.

User avatar
rpdom
Posts: 15019
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: single-user mode on pi + debian wheezy?

Wed May 06, 2015 8:08 am

electronicsguy wrote:Let me put it this way - what specific purpose is being served by having the capability to modify kernel parameters already baked in, in the Raspbian distro, for its users?
Not being able to modify kernel parameters would make the Pi unusable for a lot of people without major headaches.

The main example is using a root filesystem that is not on the SD card. A large number of people have their rootfs on USB connected disks/SSDs/USB sticks. Without the option to change parameters in cmdline.txt this wouldn't be such a simple operation.

Other things include disabling or changing the speed of the serial console, as well as various debugging options that have been used over the past few years.

No, I can't see any point in disabling the cmdline.txt unless you want to build your own "locked down" system for some reason.

Debian is marketed as being the "Universal Operating System". That is because it is flexible and not locked down too far (although you can lock it down if you wish). Raspbian isn't that heavily customised that it has diverged too far from that principle. (I'll ignore that basic security things of the default install for now - people should be aware of those)

User avatar
pluggy
Posts: 3635
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
Contact: Website

Re: single-user mode on pi + debian wheezy?

Wed May 06, 2015 11:09 am

DougieLawson wrote:Lock the RPi in a cage, fix the SDCard in the RPi with a hot glue gun.
Hot glue be damned, epoxy the thing. :)
Don't judge Linux by the Pi.......
I must not tread on too many sacred cows......

User avatar
electronicsguy
Posts: 156
Joined: Wed Jan 21, 2015 11:20 pm
Contact: Website

Re: single-user mode on pi + debian wheezy?

Wed May 06, 2015 10:04 pm

rpdom wrote:
electronicsguy wrote:Let me put it this way - what specific purpose is being served by having the capability to modify kernel parameters already baked in, in the Raspbian distro, for its users?
Not being able to modify kernel parameters would make the Pi unusable for a lot of people without major headaches.

The main example is using a root filesystem that is not on the SD card. A large number of people have their rootfs on USB connected disks/SSDs/USB sticks. Without the option to change parameters in cmdline.txt this wouldn't be such a simple operation.

Other things include disabling or changing the speed of the serial console, as well as various debugging options that have been used over the past few years.

No, I can't see any point in disabling the cmdline.txt unless you want to build your own "locked down" system for some reason.

Debian is marketed as being the "Universal Operating System". That is because it is flexible and not locked down too far (although you can lock it down if you wish). Raspbian isn't that heavily customised that it has diverged too far from that principle. (I'll ignore that basic security things of the default install for now - people should be aware of those)
I don't see how this is relevant to not allowing direct "root" access without password. Everything you mentioned above is useful. I myself store the root FS on a USB drive. However, modifying kernel parameters to change the 'root' location, or other things you mentioned (serial console) can be done without root access. What I was saying is, why not lock down the ability to enter the root account directly, without a password, the way it is done by specifying "init=/bin/sh".

It is similar to windows safe-mode, then difference being windows still asks you for administrator password. Windows allows you to create a admin password override disk/usb drive for emergency situations. On the mac, if firmware protection is enabled, single-user mode is disabled. Desktop linux enforces a certain level of security by password protecting grub before changes can be made, and password protecting the BIOS to not change default boot order.

None of these protections exists in the Rasperry Pi world. I could get hold of you pi, not remove any hardware, change the root password stealthily, just to create mischief. Yes this is assume that the Pi "box" is locked down, but has keyboard and screen access. The lack of password to go into 'root' just makes it easier in this specific case. The constraints of not modifying the kernel do not exist in the non-business Raspbian world. Someone who wants unlimited access to the root account through single user mode could always enable those beforehand/re-compile kernel. But for those users who don't want to allow that, and who are OK with the fact that if their system stops booting, they cannot fix it on the Pi itself, why not have a way to guarantee that?
blog: https://electronicsguy.wordpress.com
github: https://github.com/electronicsguy

Captain Dusty
Posts: 1
Joined: Fri Jun 12, 2015 2:28 am
Location: Australia
Contact: Website

Re: single-user mode on pi + debian wheezy?

Fri Jun 12, 2015 2:35 am

I think, as the others have stated; there's no benefit to really hardening these software layer solutions if physical access has been compromised. Without having an encrypted medium, once someone has access to your physical device; the only resource they need is time.

A cosmetic grub boot password is cute, but means nothing if you are not using an encrypted medium, and I just pull out your storage medium.

So where do you draw the line?

User avatar
electronicsguy
Posts: 156
Joined: Wed Jan 21, 2015 11:20 pm
Contact: Website

Re: single-user mode on pi + debian wheezy?

Sun Jun 14, 2015 1:36 am

Captain Dusty wrote:I think, as the others have stated; there's no benefit to really hardening these software layer solutions if physical access has been compromised. Without having an encrypted medium, once someone has access to your physical device; the only resource they need is time.

A cosmetic grub boot password is cute, but means nothing if you are not using an encrypted medium, and I just pull out your storage medium.

So where do you draw the line?
Hello,
People are obsessing over the physical access part of it, and the associated data breach. But I trying to highlight a different aspect altogether, and that has to do with playing mischief. What if someone is not interested in your data, but wants to play mischief with your RPi setup. Now imagine that the RPi itself is enclosed in a box, so the sd-card or a USB drive cannot be removed. But it is connected to a keyboard, mouse and a screen (think of a scenario like some exhibition, school kiosk, tech fair, etc). Now since you are able to have this level of access, you could easily enter the single-user mode and play around with the files there, lock everyone out, stealthily.

I don't see any reason why this cannot be dealt with. Those who don't want protection against this, fine, you don't have to do anything. But if someone wants this level of protection in the scenario described above, can you tell me what is the current way to achieve it? There is none. This level of protection, however, is present, when say you lend someone your laptop, and the grub is password protected.

I agree the initial discussion went in the direction of generic linux single user mode, servers in locked rooms, business policies, etc. But those are not applicable at all to this kind of scenario. But if you say that no amount of software protection protects against physical access, why have passwords on laptops/phones (if no disk encryption is used) - it is precisely to guard against the casual mischief maker.
blog: https://electronicsguy.wordpress.com
github: https://github.com/electronicsguy

User avatar
rpdom
Posts: 15019
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: single-user mode on pi + debian wheezy?

Sun Jun 14, 2015 6:08 am

electronicsguy wrote:Hello,
People are obsessing over the physical access part of it, and the associated data breach. But I trying to highlight a different aspect altogether, and that has to do with playing mischief. What if someone is not interested in your data, but wants to play mischief with your RPi setup. Now imagine that the RPi itself is enclosed in a box, so the sd-card or a USB drive cannot be removed. But it is connected to a keyboard, mouse and a screen (think of a scenario like some exhibition, school kiosk, tech fair, etc). Now since you are able to have this level of access, you could easily enter the single-user mode and play around with the files there, lock everyone out, stealthily.
I would count a directly connected keyboard as physical access.

However, all you need to do to prevent that is to not have the /boot filesystem(s) mounted (and not mountable by user). Then it is impossible for them to do the required updates to get into single-user mode.

Of course, if you are allowing them access to the "pi" account and sudo access is allowed then all bets are off.

But anyone who uses a Pi at something like an exhibition or other similar situation where random people will be bashing away at it will know to re-image the card before using it again. It's standard practice to assume something nasty could have happened to it.

User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: single-user mode on pi + debian wheezy?

Sun Jun 14, 2015 10:29 am

electronicsguy wrote:Now imagine that the RPi itself is enclosed in a box, so the sd-card or a USB drive cannot be removed. But it is connected to a keyboard, mouse and a screen (think of a scenario like some exhibition, school kiosk, tech fair, etc).
Then you have to worry about people typing the address of some shock site into the browser, or quitting the intended exhibition program and running something else, or even just rebooting via Ctrl+Alt+Bksp/Del. If you give them any kind of shell access they can probably break it so the application does not come up right in future. This is a very difficult scenario to secure.

One thing you do not have to worry too much about is people changing boot parameters or breaking the operating system itself. Just do not give root access, and they will find that very difficult.

In case you missed it earlier in the thread, the ability to change boot parameters or reinstall simply by pressing Shift at boot is specific to NOOBS. You would probably want to install without NOOBS for one of these high-mischief environments.

I still do not understand why you are so concerned about "init=/bin/sh". Anybody who can write to /boot/cmdline.txt can also write to /boot/kernel.img, so they can boot their own system to bypass every restriction you might have tried to implement.

Doncemano
Posts: 1
Joined: Fri Dec 25, 2015 7:01 pm

Re: single-user mode on pi + debian wheezy?

Fri Dec 25, 2015 7:09 pm

If you're using NOOBS and Raspbian, then it's Easy! :D

1. Go to "[Drive]:\os\Raspbian\os.json".
2. Open it as a Text file.
3. Edit the: "username": "pi", "password": "raspberry" to something else...

Like: "username": "Doncemano", "password": "pass"

I think that's it ;) :) :P :D

JamesPi123
Posts: 110
Joined: Fri Sep 23, 2016 10:02 pm
Location: Inside my Pi
Contact: Website

Re: single-user mode on pi + debian wheezy?

Sat Nov 05, 2016 6:01 am

would

Code: Select all

init=/bin/bash
work?

magoheat
Posts: 1
Joined: Sun Oct 21, 2018 6:59 pm

Re: single-user mode on pi + debian wheezy?

Sun Oct 21, 2018 7:02 pm

If the remount fails and complain about PARTUUID, maybe your fstab is wrong, so use this:

mount -o remount,rw /dev/mmcblk0p2 /

It worked for me using a pi zero w armv6

Return to “Troubleshooting”