This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.

And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.

Password Protect Grub Entries

This shows you how to password protect individual Grub entries

1. Generate your Grub password with the following command
> grub-md5-crypt Password: Retype password: $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
2. Copy the last string because this is what you'll use inside the Grub configuration file
3. Using your editor of choice, edit /boot/grub/menu.lst
4. Find the part that shows the different boot options at the bottom of the page where you'll see something like this:
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic
There are some options which are not an issue to boot but the recovery mode ones would be
5. Edit the section for the recovery mode so that it looks like this
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic password --md5 $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
This will force a password if a user attempts to boot into recovery mode but automatically boot into the default installation without one.
6. Save the menu.lst file and reboot to see if you were successful

Password Protect Editing Grub Entries

This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file

1. Edit the menu.lst file
2. Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
# e.g. password topsecret password $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30 # password topsecret

3. Go through each entry that you want to lock out from editing by adding the word "lock" right after the title

Load Alternative Menu On Password

This is a way of loading a separate boot menu when the user presses 'P' and enters a password.

1. Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
2. Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.
title Ubuntu 8.04.1, kernel 2.6.24-19-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-19-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-19-generic title Ubuntu 8.04.1, kernel 2.6.24-18-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-18-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-18-generic

Disclaimer

This is NOT by any means, a very good security measure. It's just a way to stop a lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what whatever you want. If you want to be serious about protecting a system from physical attacks, you'll need to look at encrypting the entire hard drive.

External Links

http://www.gnu.org/software/grub/manual/grub.html#Security

Just recently FireGPG released their 0.5 version which along with other bug fixes and feature additions, includes the ability to automatically reading inline GPG/PGP key blocks from websites. This perfectly fits into an idea I was thinking about a few weeks ago.

UPDATE 7/14/08: FireGPG's newest version supports symmetrical encryption and line breaks making it even easier to do what I'm talking about.

The idea is that using FireGPG you can encrypt your posts to public web pages, forums, wikis, and even MySpace (if you still use that) so that only you, or whomever possesses the private key can decrypt.

For example, say you have a very private message that you and your friend would like to share but you want to make sure no one can read it while you are writing it and that no one can read it after you've posted it. You generate a key for your posts and then you send your friend the private key, and she decrypts it but no one else can. Not even the owner of the website.

Why would you want to do this?

1. It's an alternative to SSL if you don't have the ability to set it up (forums, blog comments) [There are other alternatives I've seen done with Javascript but most of them site security flaws]
2. Way of keeping private posts private even from server owners
3. Encryption is fun!

Why would you not do this

This is a last stretch effort and by no means is it a perfect solution. In fact, the public key encryption just does not fit in with this but I haven't found many general encryption plug-ins to encrypt a message with great confidence. Plus it doesn't give you control of revoking the key if it gets stolen. Do not use this as a serious solution but an example of what someone COULD do.

One of the requests at FireGPG is that they can support symmetric encryption which would work much better in this situation. Until then, this still works pretty well.

Install GPG

http://www.gnupg.org/download/index.en.html

I'm really not going to go through the process of installing on your system because it's very easy. Use the site's documentation.

Generate a GPG Key For Your Usage

You can always use your GUI of choice to do this but from command line here's the easiest way: gpg --gen-key

Follow through the steps to create your key.

Install FireGPG

Install FireGPG from here - http://getfiregpg.org/install.html

Encrypt Your Posts:

After FireGPG is installed, you now have a FireGPG menu option when you select a block of text and right-click. So the process is this:

1. Write the post or whatever you're sending to a site
2. Select the entire text before submitting
3. Right click and select the FireGPG menu option
4. Click Encrypt
5. Select the key that you created above and click OK

This will create an encrypted version of your post ready for you to submit.

Decrypting Websites

When you want to view an encrypted post, FireGPG automatically sees it and prompts you to decrypt it. If you have tons and tons of posts, it's going to be very annoying to decrypt every message but it woudl work.

Granting Access

The last part is just giving the private key to those who should be able to see your posts. One obvious way would be this:

1. export the private key
2. encrypt it with your friend's public key
3. email it to him or her

External Links:

http://getfiregpg.org/ - FireGPG Firefox plugin
http://www.gnupg.org/ - GPG website
http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html - GPG HOWTO manuals