Last week’s tip covered some ways of getting into a system when you don’t
have (or have forgotten) the root password. Obviously, being able to do this
has disadvantages when the person doing it is an attacker trying to get at the
system for nefarious reasons. (Or even users fiddling with the system without
Tip of the Trade: Last week’s tip showed how to get into a system when you don’t have the root password. Helpful, but not always a good thing. This week, we look at the flipside: password-protecting all GRUB entries.
It’s possible to password-protect all GRUB entries: They can still be
booted, but they can’t be edited from the GRUB startup screen without the
password. Log in as root, and type grub. At the GRUB prompt, enter:
then type in the new password when prompted. A hash value looking something
will be returned. Make a note of it, and exit GRUB.
Now edit /boot/grub/menu.lst, and add this line:
password --md5 $1$LfYJ1/$RZu3Ra2OYO8Cl9TvLsQqF.
(using the encrypted value GRUB gave you) before any of the boot menu entries,
and you’re done.
You can also prevent a particular boot entry from being booted without the
password. Add the line:
after the title line in the relevant boot entry. To lock the
recovery mode entries, it’s preferable to change the line
lockalternative=false to lockalternative=true: This will
maintain the lockdown even if the kernel is updated.
This will not protect your system against boot from a LiveCD: To do this, edit
the BIOS to remove the CD/DVD drive from the boot options, then
password-protect it. Remember that if you forget this password, you won’t be
able to re-edit the BIOS if you do need to boot from a CD!
Finally, bear in mind that a serious attacker will not be thwarted by these
measures. If you need more protection, look at your site’s overall physical
security, and consider encrypting your hard drives.