Password Protect Grub
Monday, July 21, 2008
This weekend, my company threw their annual trip to the mountains which
included a team building scavenger hunt through the small town community,
a boat trip to the lake, and some after hour pranks. One such prank involved
a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had
left his laptop on the table and we agreed that it would be perfect to
surprise him by changing the desktop background of his computer to the photo we took that night.
At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was
able to boot into his Ubuntu partition in minutes with root access.
And why am I telling you this? Because the reason I was able to access
it so easily was because Grub was not password protected and I booted it into
rescue mode which gave me root access to his entire hard drive. Although I
thought it was hilarious, it was a good reminder to always lock it down. So this is how to password
protect some or all of the entries in Grub.
Password Protect Grub Entries
This shows you how to password protect individual Grub entries
- Generate your Grub password with the following command
- Copy the last string because this is what you'll use inside the Grub configuration file
- Using your editor of choice, edit /boot/grub/menu.lst
- Find the part that shows the different boot options at the bottom of the
page where you'll see something like this:
There are some options which are not an issue to boot but the recovery mode ones would be
- Edit the section for the recovery mode so that it looks like this
This will force a password if a user attempts to boot into recovery mode but
automatically boot into the default installation without one.
- Save the menu.lst file and reboot to see if you were successful
Password Protect Editing Grub Entries
This is how to password protect all of Grub so that you cannot run your own commands.
This is a big one because an attacker could edit the Grub entries to do something like print out
your /etc/password file
- Edit the menu.lst file
- Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
- Go through each entry that you want to lock out from editing by adding the
word "lock" right after the title
Load Alternative Menu On Password
This is a way of loading a separate boot menu when the user presses 'P'
and enters a password.
- Make a duplicate of menu.lst named menu-admin.lst. This will
be the alternative menu
- Edit the menu-admin.lst file so that you only have the entries you want. This is the
only menu that will show so you may want to duplicate some of the original ones too.
Disclaimer
This is NOT by any means, a very good security measure. It's just a way to stop a
lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what
whatever you want. If you want to be serious about protecting a system from physical
attacks, you'll need to look at encrypting the entire hard drive.
External Links
http://www.gnu.org/software/grub/manual/grub.html#Security
This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.
And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.
Password Protect Grub Entries
This shows you how to password protect individual Grub entries
- Generate your Grub password with the following command
- Copy the last string because this is what you'll use inside the Grub configuration file
- Using your editor of choice, edit /boot/grub/menu.lst
- Find the part that shows the different boot options at the bottom of the page where you'll see something like this:
- Edit the section for the recovery mode so that it looks like this
- Save the menu.lst file and reboot to see if you were successful
There are some options which are not an issue to boot but the recovery mode ones would be
This will force a password if a user attempts to boot into recovery mode but automatically boot into the default installation without one.
Password Protect Editing Grub Entries
This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file
- Edit the menu.lst file
- Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
- Go through each entry that you want to lock out from editing by adding the word "lock" right after the title
Load Alternative Menu On Password
This is a way of loading a separate boot menu when the user presses 'P' and enters a password.
- Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
- Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.