GRUB Password Security

Posted by gmendoza on June 17, 2007 under Tech Tips | Be the First to Comment

NOTE (01-11-2009): This article refers to GRUB Legacy. GRUB 2 is a complete rewrite and it’s configuration is completely different than what is described below. This page will eventually be updated to include both Legacy and version 2 instructions.

If your system is using a default installation of GRUB as it’s boot loader, chances are it has not been set up with a password.

When at the GRUB menu, one can edit the kernel selection by highlighting the menu item, and pressing the “e” button. By editing the “kernel” entry, they can pass any number of boot variables and options. For instance, the options “init 1″ or “single” boot the operating system into “single user” mode (run level 1), which drops you into a root prompt with no authentication necessary.

For example, the kernel option would look like the following:

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet init 1

or

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet single

Ubuntu actually installs a “recovery” GRUB menu item already configured for you. How nice of them!

Of course, anyone with prolonged physical access to your server can do a lot more damage. Configuring a GRUB password can be likened to installing and locking your “screen door”. It can slow down or even discourage a potential intruder.

Instructions:

Step 1: Generate an MD5 hashed password using the “grub-md5-crypt” command line utility. Enter the command, and it will prompt you twice for any password of your choice.

grub-md5-crypt
Password: (enter password)
Retype password: (reenter password)
$1$aBQge1$oljHKOKAPuiOkvUTTzPc80

Step 2: Copy the resulting hash into /boot/grub/menu.lst using the following syntax:

password --md5 $1$aBQge1$oljHKOKAPuiOkvUTTzPc80

Step 3: Lock alternative boot options by changing the “lockalternatives” value to “true”. This option will make it mandatory for the administrative password to be entered prior to using the alternative menu item (recovery mode).

# lockalternative=true

Step 4: lock old kernel menu items, as they may have present their own security issues.

# lockold=true

Step 3: Save changes by updating grub, and then reboot to test.

sudo update-grub

You should notice that GRUB now instructs you to press “p” to enter a password in order for you to edit the kernel options, boot into single user mode or older kernels.

Be Sociable, Share!

Related posts:

  1. Revelation Password Manager for Gnome
  2. Create Encrypted CD’s and DVD’s in Linux
  3. VLAN Hopping on Cisco Voice-enabled Switch Ports

Tags: , ,

Add A Comment

home top