Re: Rretrofit Grub security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2003-11-17 at 23:34, ted wrote:
> When I installed FC1 I chose not to have a Grub password. Now I want
> one. How can I retrofit it in? Grub also manages the XP boot if that
> matters.

From
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wstation-boot-sec.html


4.2.2.1. Password Protecting GRUB
You can configure GRUB to address the first two issues listed in Section
4.2.2 Boot Loader Passwords by adding a password directive to its
configuration file. To do this, first decide on a password, then open a
shell prompt, log in as root, and type: 

/sbin/grub-md5-crypt

When prompted, type the GRUB password and press [Enter]. This will
return an MD5 hash of the password. 

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the
file and below the timeout line in the main section of the document, add
the following line: 

password --md5 <password-hash>

Replace <password-hash> with the value returned by
/sbin/grub-md5-crypt[2]. 

The next time you boot the system, the GRUB menu will not let you access
the editor or command interface without first pressing [p] followed by
the GRUB password. 

Unfortunately, this solution does not prevent an attacker from booting
into a non-secure operating system in a dual-boot environment. For this
you need to edit a different part of the /boot/grub/grub.conf file. 

Look for the title line of the non-secure operating system and add a
line that says lock directly beneath it. 

For a DOS system, the stanza should begin similar to the following: 

title DOS
lock

              Warning
Warning
 
You must have a password line in the
main section of the
/boot/grub/grub.conf file for this
to work properly. Otherwise an
attacker will be able to access the
GRUB editor interface and remove the
lock line. 


If you wish to have a different password for a particular kernel or
operating system, add a lock line to the stanza followed by a password
line. 

Each stanza you protect with a unique password should begin with lines
similar to the following example: 

title DOS
lock
password --md5 <password-hash>
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux