Grub Password Security

Posted on June 17th, 2007 in Tech Tips by gmendoza

If your system is using a default installation of GRUB as it’s boot loader, chances are it has not been set up with a password.

When at the GRUB menu, one can edit the kernel selection by highlighting the menu item, and pressing the “e” button. By editing the “kernel” entry, they can pass any number of boot variables and options. For instance, the options “init 1″ or “single” boot the operating system into “single user” mode (run level 1), which drops you into a root prompt with no authentication necessary.

For example, the kernel option would look like the following:

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet init 1

or

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet single

Ubuntu actually installs a “recovery” GRUB menu item already configured for you. How nice of them!

Of course, anyone with prolonged physical access to your server can do a lot more damage. Configuring a GRUB password can be likened to installing and locking your “screen door”. It can slow down or even discourage a potential intruder.

Instructions:

Step 1: Generate an MD5 hashed password using the “grub-md5-crypt” command line utility. Enter the command, and it will prompt you twice for any password of your choice.

$ grub-md5-crypt
Password:
Retype password:
$1$aBQge1$oljHKOKAPuiOkvUTTzPc80
$

Step 2: Copy the resulting hash into /boot/grub/menu.lst using the following syntax:

password --md5 $1$aBQge1$oljHKOKAPuiOkvUTTzPc80

Step 3: Lock alternative boot options by changing the “lockalternatives” value to “true”. This option will make it mandatory for the administrative password to be entered prior to using the alternative menu item (recovery mode).

# lockalternative=true

Step 4: lock old kernel menu items, as they may have present their own security issues.

# lockold=true

Step 3: Save changes by updating grub, and then reboot to test.

$ sudo update-grub

You should notice that GRUB now instructs you to press “p” to enter a password in order for you to edit the kernel options, boot into single user mode or older kernels.

Post a comment