Securing GRUB

From MEPIS Documentation Wiki

Jump to: navigation, search

By default, GRUB allows a user to edit the boot commands. This can be a major security hole if you're worried about someone getting root access from the console (as in a kiosk or computer lab situation), as anyone can enter runlevel 1 or type /bin/bash and get a root console without entering a password.

GRUB has some very flexible security options however. The first step is to secure the grub command line with a password.

  1. Open a terminal and become root.
  2. Type grub to enter the grub command shell
  3. Type md5crypt and hit enter. You'll be prompted for a password.
  4. Enter the password you want to use and hit enter. You'll get a long stream of characters, which is your password encrypted. Highlight this and copy it to the clipboard.
  5. Type Ctrl-c to exit the grub console
  6. open /boot/grub/menu.lst in your favorite text editor.
  7. Add the following line somewhere near the beginning of the file:
    password --md5
  8. Paste your encrypted password to the end of the line, one space after "md5".

This will stop users from editing the command line, but will not affect normal booting. It will cause GRUB to use text mode, as graphical mode does not work with passwords.

GRUB also allows you to secure certain entries by requiring the password to boot them. To do this, simply edit the corresponding entry and add the word locked on a line by itself.

Personal tools
In other languages