Rretrofit Grub security?

Paul Morgan paul.morgan at jumanjihouse.com
Tue Nov 18 12:20:09 UTC 2003

On Mon, 2003-11-17 at 23:34, ted wrote:
> When I installed FC1 I chose not to have a Grub password. Now I want
> one. How can I retrofit it in? Grub also manages the XP boot if that
> matters.

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wstation-boot-sec.html Password Protecting GRUB
You can configure GRUB to address the first two issues listed in Section
4.2.2 Boot Loader Passwords by adding a password directive to its
configuration file. To do this, first decide on a password, then open a
shell prompt, log in as root, and type: 


When prompted, type the GRUB password and press [Enter]. This will
return an MD5 hash of the password. 

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the
file and below the timeout line in the main section of the document, add
the following line: 

password --md5 <password-hash>

Replace <password-hash> with the value returned by

The next time you boot the system, the GRUB menu will not let you access
the editor or command interface without first pressing [p] followed by
the GRUB password. 

Unfortunately, this solution does not prevent an attacker from booting
into a non-secure operating system in a dual-boot environment. For this
you need to edit a different part of the /boot/grub/grub.conf file. 

Look for the title line of the non-secure operating system and add a
line that says lock directly beneath it. 

For a DOS system, the stanza should begin similar to the following: 

title DOS

You must have a password line in the
main section of the
/boot/grub/grub.conf file for this
to work properly. Otherwise an
attacker will be able to access the
GRUB editor interface and remove the
lock line. 

If you wish to have a different password for a particular kernel or
operating system, add a lock line to the stanza followed by a password

Each stanza you protect with a unique password should begin with lines
similar to the following example: 

title DOS
password --md5 <password-hash>

More information about the fedora-list mailing list