Securing GRUB

From LQWiki
Jump to: navigation, search

Securing Grub

Why?

In most cases the standard GRUB installation is not secure. This means everyone that has physical access to the computer may change settings for the boot up. In doing so one might boot into a single-user mode without being asked for a password. This way your system is vulnerable to an attack.

Using the security features from GRUB you can secure the boot menu and every entry if desired. The advantage over LILOs plain text password is that GRUB uses a MD5 encrypted password which can not be read simply by reading the GRUB configuration file.

How?

To generate the MD5 password enter the GRUB shell (grub):

 grub> md5crypt
 Password: **********
 Encrypted: $1$wgf8G0$Tt7XAsoiEAOU4PALAzkaL0

Copy the encrypted password and exit the GRUB shell (quit). You need to edit the GRUB configuration (/boot/grub/menu.lst) and insert the following line (before the title-Sections):

password --md5 PASSWORD

Swap PASSWORD with the above created MD5 password. This way GRUB prevents someone from editing the boot up commands by asking for your password.

If you want to protect a boot menu entry from being booted insert the line lock right after title. Entries before lock can be executed so it's important where lock is inserted!

Example

default 0
fallback 1
timeout 10
password --md5 $1$wgf8G0$Tt7XAsoiEAOU4PALAzkaL0
title Linux-2.4.25
        root (hd0,4)
        kernel /bzImage-2.4.25-super root=/dev/hda6 ro
title Linux-2.4.22-supermount-acpi
        lock
        root (hd0,4)
        kernel /bzImage-2.4.22-super-acpi root=/dev/hda6 ro

See also