(grub.info.gz) Security

Info Catalog (grub.info.gz) Preset Menu (grub.info.gz) Top (grub.info.gz) Images 
 
 9 Protecting your computer from cracking
 ****************************************
 
 You may be interested in how to prevent ordinary users from doing
 whatever they like, if you share your computer with other people. So
 this chapter describes how to improve the security of GRUB.
 
    One thing which could be a security hole is that the user can do too
 many things with GRUB, because GRUB allows one to modify its
 configuration and run arbitrary commands at run-time. For example, the
 user can even read `/etc/passwd' in the command-line interface by the
 command `cat' ( cat). So it is necessary to disable all the
 interactive operations.
 
    Thus, GRUB provides a "password" feature, so that only administrators
 can start the interactive operations (i.e. editing menu entries and
 entering the command-line interface). To use this feature, you need to
 run the command `password' in your configuration file (
 password), like this:
 
      password --md5 PASSWORD
 
    If this is specified, GRUB disallows any interactive control, until
 you press the key <p> and enter a correct password.  The option `--md5'
 tells GRUB that `PASSWORD' is in MD5 format.  If it is omitted, GRUB
 assumes the `PASSWORD' is in clear text.
 
DONTPRINTYET     You can encrypt your password with the command `md5crypt' (
 md5crypt). For example, run the grub shell (*note Invoking the grub
DONTPRINTYET     You can encrypt your password with the command `md5crypt' (
 md5crypt). For example, run the grub shell ( Invoking the grub

 shell), and enter your password:
 
      grub> md5crypt
      Password: **********
      Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.
 
    Then, cut and paste the encrypted password to your configuration
 file.
 
    Also, you can specify an optional argument to `password'. See this
 example:
 
      password PASSWORD /boot/grub/menu-admin.lst
 
    In this case, GRUB will load `/boot/grub/menu-admin.lst' as a
 configuration file when you enter the valid password.
 
    Another thing which may be dangerous is that any user can choose any
 menu entry. Usually, this wouldn't be problematic, but you might want to
 permit only administrators to run some of your menu entries, such as an
 entry for booting an insecure OS like DOS.
 
    GRUB provides the command `lock' ( lock). This command always
 fails until you enter the valid password, so you can use it, like this:
 
      title Boot DOS
      lock
      rootnoverify (hd0,1)
      makeactive
      chainload +1
 
    You should insert `lock' right after `title', because any user can
 execute commands in an entry until GRUB encounters `lock'.
 
    You can also use the command `password' instead of `lock'. In this
 case the boot process will ask for the password and stop if it was
 entered incorrectly.  Since the `password' takes its own PASSWORD
 argument this is useful if you want different passwords for different
 entries.
Info Catalog (grub.info.gz) Preset Menu (grub.info.gz) Top (grub.info.gz) Images
automatically generated by info2html