If you are a Linux sysadmin, you might not want others in your IT department, who has physical access to the server, change anything from the GRUB bootloader menu that is displayed during system startup.
GRUB is the 3rd stage in the Linux boot process that we discussed earlier.
GRUB security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.
It is highly recommended to set GRUB password on any critical production systems as explained in this article.
1. Use grub password command in grub.conf
On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.
As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.
Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, 'a' to modify the kernel arguments before booting, or 'c' for a command-line
/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf
Add the following “password” line to the grub.conf file.
$ cat /etc/grub.conf default=0 timeout=15 password GrbPwd4SysAd$ ..
Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.
As you see from this message, without entering the GRUB password that you gave in the grub.conf, nobody can edit the grub commands, or modify the kernel arguments. All they can do is just select one of the displayed entries and boot from here.
Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS or 'p' to enter a password to unlock the next set of features.
2. Encrypt the grub password using grub-crypt
While reading the above entry, probably you thought to yourself: Yes, the grub is secured by a password. But, the password itself is in clear text in the grub.conf file, which kind of defeats the purpose.
You can use grub-crypt utility to create an encrypted password.
grub-crypt will get the clear text password from the user, and display the encrypted password as shown below.
# grub-crypt Password: GrbPwd4SysAd$ Retype password: GrbPwd4SysAd$ ^9^32kwzzX./3WISQ0C
Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below. Just copy the output of the grub-crypt command, and paste it after the “–encrypted” argument in the password entry.
$ cat /etc/grub.conf default=0 timeout=15 password --encrypted ^9^32kwzzX./3WISQ0C ..
By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also encrypt the password either using SHA-256 or MD5 alrogithms as shown below.
# grub-crypt --sha-256 # grub-crypt --md5
You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.
Inside the script section of your grub.conf file, if you specify “lock”, grub will execute the rest of the commands in that section of the menu entry only if the user is authenticated.
3. Load a different file for the Grub Menu
By default, the entries in the GRUB menu during system startup are picked-up from the grub.conf file. i.e based on the line that starts with “title” entry from the grub.conf file.
If you are testing some variation of a new kernel, you might want to create a separate grub menu file that contains the custom menu entries. During the system startup, by default it will show only the entries from the grub.conf. However when you enter a password, you can instruct grub to load your custom menu entries.
This is achived by passing the custom menu file name to the password command as shown below in the grub.conf file.
In the following example, it will load and display the grub menu entries from the /etc/mymenu.lst when you provide the password during the system startup.
$ cat /etc/grub.conf default=0 timeout=15 password --encrypted ^9^32kwzzX./3WISQ0C /etc/mymenu.lst ..