Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

secure grub2 with password

As preparation for new years party, i wanted to secure my desktop against init=/bin/bash attacs. Grub2 added usernames to the privilege concept, enabling fine grained access to certain boot entry to different subsets of users.
I just want everybody to be able to boot the default entry and restrict all tweaking (edit mode, command line) and alternatives (old kernels, memtest) to password authentication.
Adding an superuser called root (easy to remember) and setting an password locks all entries.
For increased security, use a hashed password (run `grub2-mkpasswd-pbkdf2`) and revoke read right from the file.
N.B. grub2-mkconfig sources all files in grub.d and run it tru shell to generate the /boot/grub2/grub.cfg. The file has to be executable.

--- /dev/null
+++ /etc/grub.d/01_password
@@ -0,0 +1,6 @@
+cat << EOF
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.......

Run `chmod go=,u+x /etc/grub.d/01_password`
Now identify the part of 10_linux that generates the first/default menu entry.
It's the else block of "if [ x$type != xsimple ]" inside linux_entry().

--- /etc/grub.d/10_linux
+++ /etc/grub.d/10_linux
@@ -98,7 +98,7 @@
       echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} $menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
-      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} $menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      echo "menuentry --unrestricted '$(echo "$os" | grub_quote)' ${CLASS} $menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
   if [ x$type != xrecovery ] ; then
       save_default_entry | sed -e "s/^/ /"

Now, re-create the grub2 running `grub2-mkconfig -o /boot/grub2/grub.cfg` and you're all set.

Prosit 2013!
Tags: linux own

Don't be the product, buy the product!