Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Enhance boot-time security with GRUB passwords
Share
Print
CommentsGRUB allows a user to boot into single-user mode from the GRUB menu. Single-user mode is the first interactive runlevel in Linux systems, where only one user -- the root users -- is allowed access. You can boot into single-user mode without providing any passwords -- clearly a security threat.
Try it out for yourself. Press 'e' when the GRUB menu shows up to enter the edit mode. Scroll down to the line that begins with kernel and press 'e' again to edit this line. Type s at the end of the line and press Enter to exit the edit mode. Now press 'b' to boot into the single-user mode of your distribution. Voilà, complete system access! You can do whatever you want to, including changing the root password using the passwd command.
Securing GRUB
To begin securing the boot menu, first generate an MD5 password. To do this, open up a terminal and enter grub to access the minimalistic GRUB shell. Type md5crypt and press Enter. You will be asked for a password. Fill in the password that you wish to use to block users from booting into single-user mode and press Enter. The encrypted password will be displayed on the screen.
grub> md5crypt Password: ********* Encrypted: $1$sEOFN1$dalP1fzlFCHD4saxlnNzM/ grub>
Note that the password might have a dot or a slash (/) at the end of the encrypted string; this is part of the encrypted password. Copy the encrypted password and exit the GRUB shell by pressing Ctrl-c.
If you find the process of running a GRUB shell and then running md5crypt too cumbersome, you can just run the command grub-md5-crypt from your terminal.
You now need to edit your GRUB configuration file, which you can find at /boot/grub/menu.lst. Scroll down to the distribution section that you wish to password protect. Add a new line containing password --md5 PASSWORD at the end of the distribution section. Replace PASSWORD with the encrypted password you created with md5crypt. Here is my menu.lst file:
# Start GRUB global section #timeout 30 color light-gray/blue black/light-gray # End GRUB global section # Other bootable partition config begins title Forbidden (on /dev/hda1) rootnoverify (hd0,0) makeactive chainloader +1 # Other bootable partition config ends # Linux bootable partition config begins title Ubuntu Breezy (on /dev/hda2) root (hd0,1) kernel /boot/vmlinuz-2.6.12-9-386 root=/dev/hda2 ro vga=790 initrd /boot/initrd.img-2.6.12-9-386 password --md5 $1$sEOFN1$dalP1fzlFCHD4saxlnNzM/ # Linux bootable partition config ends # Linux bootable partition config begins title Puppy Linux (on /dev/hda6) root (hd0,5) kernel /boot/vmlinuz root=/dev/hda6 ro vga=790 password --md5 $1$hvCFN1$KU8fI1kGYMdehB1mZfALR
Notice the password line at the end of the section for Ubuntu. Whenever I try to boot into Ubuntu, GRUB asks for a password. Additionally, when I try to edit this entry from the GRUB menu, I cannot do so without the password.
You can create separate passwords for each entry in your GRUB menu, as I have done above. Each distribution entry should have its own password --md5 PASSWORD line at the end of its section.
What about LILO?
The other popular bootloader, LInux Loader or LILO, also allows users to boot into single-user mode, and it too has a password protection feature. But while GRUB allows for MD5 encrypted passwords, LILO manages only text passwords, which anyone can read from the lilo.conf file with the command cat /etc/lilo.conf.
Shashank Sharma is studying for a degree in computer science. He specializes in writing about free and open source software for new users.
Shashank Sharma specializes in writing about free and open source software for new users and moderates the Linux.com forum boards. He is the coauthor of Beginning Fedora, published by Apress.
Comments
on Enhance boot-time security with GRUB passwordsNote: Comments are owned by the poster. We are not responsible for their content.
Boot loader passwords are ludicrous. They only inconvenience you and do not prevent anyone from gaining access.
The author is obviously a newb!
Without physical security of the system you're screwed.
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
Further measures could be hard disk encryption, BIOS passwords, etc.;
Great start towards securing the system, but I think it would have been wise if the article would have pointed out the remaining holes and what can be done about them.
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
Problems with boot loader passwords:
1. You, or someone knowing the password must be present to boot the system. That means no remote reboots, unless you have a iLO or Drac card and I'm betting you don't.
2. A bootable CD, USB key or floppy disk instantly bypasses the "security" provided by the boot loader password.
So the grub password makes your life more inconvenient while offering no security at all!
As for single user mode not requiring a password... Perhaps you should get a better distribution. Single user mode has require the root password on all of my systems for a few years now. Hell, even Windows Recovery Console, the Microsoft version of single user mode, requires the administrator password.
Well, at least you made an MD5 hash of the password rather than putting it in plain text. I'll bet it's the same as your root password. Doh!
Next week; How to setup a Bios boot password. Followed by a post about removing the password in 30 seconds or less.
1) I always change the boot order to disable booting from any device other than the hard drive. The bios must be password protected to prevent anyone with physical access from "inadvertantly" changing it back.
2) I make sure that single user mode prompts for the root password. I add the following line in<nobr> <wbr></nobr>/etc/inittab:
su:S:wait:/sbin/sulogin<nobr> <wbr></nobr>/dev/console
3) I always want my server to reboot, without intervention, to known runlevel. For a server, it is usually run level 3, 5 for a workstation. By not password protecting the default boot choice, it will always boot correctly without my being there. I still protect grub by putting a password in the global section. This prevents any editing. The other passwords in the non-standard boot configuration keep others from boooting to any of the others.
Here is a sample grub configuration from my RHEL44 setup:
#boot=/dev/hda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
title Normal Boot
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 3
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
title Graphical Boot
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 5
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
title Single User Mode
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 1
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
Good luck and thanks again for the article.
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
Hi Wile E.,
My question is; how does the assailant reboot the system remotely in order to bring up the grub console in the first place? Without root, they can't. If they have root then all your security is pointless.
With physical access they can reboot without root but, as stated by the naysayers, if they have physical access grub passwords are asinine.
Perhaps you fear someone hijacking your console during the 5 or 10 seconds that grub is up when you reboot? And they call me paranoid?!?!?
TTFN
Inexperienced Naysayer.
Encrypted partitions (or encrypted directories such as what encFS offers) would best be used as a second layer of security if you are at all concerned with keeping the data on the hard disk safe (laptop users ought to consider this especially).
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/pa<nobr>i<wbr></nobr> nrelief.htm] Nerve pain relief [/URL]</tt>
[URL=http://www.back.painreliefnetwork.net/lowbac<nobr>k<wbr></nobr> pain.htm] Low back pain [/URL]
[URL=http://blog.gala.net/uploads/painreliefback/<nobr>b<wbr></nobr> ackpainrelief.htm] Back pain relief [/URL]
[URL=http://www.weblog.ro/usercontent/13155/profi<nobr>l<wbr></nobr> es/kneepainrelief.htm] Knee pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Pain-R<nobr>e<wbr></nobr> lief.html] Pain relief [/URL]
[URL=http://www.sitefights.com/community/scifi/pa<nobr>i<wbr></nobr> nrelief/painreliefpreved.htm] Pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Medica<nobr>t<wbr></nobr> ion-Pain-Relief.html] Medication pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Natura<nobr>l<wbr></nobr> -Pain-Relief.html] Natural pain relief [/URL]
[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
The author (knowingly...? at the very least conveniently!) does mention that lilo has plain-text passwords, but he also neglects to say lilo does, unlike grub, have the possibility to only limit *editing* of the boot parameters. So you can *perfectly* boot the system with its default parameters without a password, but you do have to enter a password to change these parameters.
While grub may be superior in many ways, if you're going to diss lilo, at least stay objective (or informed).
Or...
Posted by: Anonymous Coward on April 26, 2006 04:20 AM#