Rretrofit Grub security?

Ow Mun Heng ow.mun.heng at wdc.com
Tue Nov 18 06:25:27 UTC 2003 

> -----Original Message-----
> From: Rob Park [mailto:rbpark at ualberta.ca]
> Sent: Tuesday, November 18, 2003 2:14 PM
> 
> ted wrote:
> > When I installed FC1 I chose not to have a Grub password. Now I want
> > one. How can I retrofit it in? Grub also manages the XP boot if that
> > matters.
> 
> I can't give you specific instructions, because I don't know, but it 
> shouldn't be hard to figure out: just read the man pages for 
> grub, then 
> edit grub's config file, setting the appropriate setting for 
> the password.


specifics

<snip from info grub>
Protecting your computer from cracking
**************************************

   You may be interested in how to prevent ordinary users from doing
whatever they like, if you share your computer with other people. So
this chapter describes how to improve the security of GRUB.

   One thing which could be a security hole is that the user can do too
many things with GRUB, because GRUB allows to modify its configuration
and run arbitrary commands at run-time. For example, the user can read
even `/etc/passwd' in the command-line interface by the command `cat'
(*note cat::). So it is necessary to disable all the interactive
operations.

   Thus, GRUB provides "password" feature, so that only administrators
can start the interactive operations (i.e. editing menu entries and
entering the command-line interface). To use this feature, you need to
run the command `password' in your configuration file (*note
password::), like this:

     password --md5 PASSWORD

   If this is specified, GRUB disallows any interactive control, until
you press the key <p> and enter a correct password.  The option `--md5'
tells GRUB that `PASSWORD' is in MD5 format.  If it is omitted, GRUB
assumes the `PASSWORD' is in clear text.

   You can encrypt your password with the command `md5crypt' (*note
md5crypt::). For example, run the grub shell (*note Invoking the grub
shell::), and enter your password:

     grub> md5crypt
     Password: **********
     Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.

   Then, cut and paste the encrypted password to your configuration
file.

password --md5 $1$U$JK7xFegdxWH6VuppCUSIb.
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.4.18-14)
        root (hd0,0)
        kernel /vmlinuz-2.4.18-14 ro root=/dev/hda3
        initrd /initrd-2.4.18-14.img

capsish...

More information about the fedora-list mailing list