Recipe 12.14. Protecting System Files with a GRUB Password

12.14.1 Problem

You don't want your users to have access to the GRUB command shell, because they would be able to access all system files, regardless of permissions or access privileges.

12.14.2 Solution

Set a password in menu.lst to lock users out of the GRUB command shell.

First, from a Bash shell, use grub-md5-crypt to generate a hashed password:

# grub-md5-crypt

Password:

Retype password:

$1$RiAfJ0$QTuAlS/BGqlkYHQADZejs1

Now paste the encrypted password into menu.lst, in the global configuration part, before the boot stanzas:

password --md5 $1$RiAfJ0$QTuAlS/BGqlkYHQADZejs1

You can also use a plain text password, like this:

password bigsecretword

Obviously, this is less secure. If you use plain text, restrict file permissions to root only:

# chmod 600 menu.lst

When the system boots and the GRUB menu appears, hit p to enter the password and unlock the command shell. Users without the password will only be able to make selections from the boot menu; they will not have access to the GRUB command shell.

12.14.3 Discussion

File access permissions are attributes of the filesystem. GRUB operates outside of filesystems, so anyone with access to the GRUB command shell can read any file on the system.

If you lose your GRUB password, it's not the end of the world, because you can boot with a rescue disk and edit menu.lst—which illustrates the ancient Unix security dictum, "anyone with physical access to the box owns it."

12.14.4 See Also

• The GRUB Manual (http://www.gnu.org/software/grub/manual/grub.html)

• info grub