Monday, November 14, 2011
5:24 AM

Protect GRUB Entries with Password

Ubuntu comes with GRUB recovery mode that enables you to recover or rescue your broken system. Unfortunately, everyone can drop a root shell without having to enter the password. Of course, that makes your system less secure. Please imagine that a stranger can access GRUB recovery mode and make some changes to your system! Today, I'd like to show you how to protect GRUB entries with password especially GRUB recovery mode. So, if someone want to access recovery mode, he must enter the password first.
Let's get started. Ope the terminal and type "grub" so that the GRUB shell appears. Enter the following command:
  • md5crypt
You will be asked for a password, please enter your desired password and hit Enter. You'll get an encrypted password, please remember or paste it on somewhere you like.

Open "/boot/grub/menu.lst" with your favorite text editor (root privilege needed). To protect GRUB entries you must add the following line to each entries you want to protect:
  • password --md5 encrypted_password
E.g.:
Before editing:
title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
root (hd1,2)
kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single
initrd /boot/initrd.img-2.6.8.1-2-386


After editing:
title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
root (hd1,2)
kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single
initrd /boot/initrd.img-2.6.8.1-2-386
password --md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs

You might like to run the following command the restrict "/boot/grub/menu.lst" for being read by regular user:
  • sudo chmod 600 /boot/grub/menu.lst
Enjoy :)

0 comments:

Post a Comment