Rretrofit Grub security?
Paul Morgan
paul.morgan at jumanjihouse.com
Tue Nov 18 12:20:09 UTC 2003
On Mon, 2003-11-17 at 23:34, ted wrote:
> When I installed FC1 I chose not to have a Grub password. Now I want
> one. How can I retrofit it in? Grub also manages the XP boot if that
> matters.
From
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wstation-boot-sec.html
4.2.2.1. Password Protecting GRUB
You can configure GRUB to address the first two issues listed in Section
4.2.2 Boot Loader Passwords by adding a password directive to its
configuration file. To do this, first decide on a password, then open a
shell prompt, log in as root, and type:
/sbin/grub-md5-crypt
When prompted, type the GRUB password and press [Enter]. This will
return an MD5 hash of the password.
Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the
file and below the timeout line in the main section of the document, add
the following line:
password --md5 <password-hash>
Replace <password-hash> with the value returned by
/sbin/grub-md5-crypt[2].
The next time you boot the system, the GRUB menu will not let you access
the editor or command interface without first pressing [p] followed by
the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting
into a non-secure operating system in a dual-boot environment. For this
you need to edit a different part of the /boot/grub/grub.conf file.
Look for the title line of the non-secure operating system and add a
line that says lock directly beneath it.
For a DOS system, the stanza should begin similar to the following:
title DOS
lock
Warning
Warning
You must have a password line in the
main section of the
/boot/grub/grub.conf file for this
to work properly. Otherwise an
attacker will be able to access the
GRUB editor interface and remove the
lock line.
If you wish to have a different password for a particular kernel or
operating system, add a lock line to the stanza followed by a password
line.
Each stanza you protect with a unique password should begin with lines
similar to the following example:
title DOS
lock
password --md5 <password-hash>
More information about the fedora-list
mailing list