April 25, 2006

Enhance boot-time security with GRUB passwords

Author: Shashank Sharma

The security of data files on your computer is at risk, and not just because you are connected to the Internet. Anyone with physical access to your machine can bypass all passwords to gain entry to your hard disk with one simple command given to the bootloader. Fortunately, the popular GRand Unified Bootloader (GRUB) is equipped with security features to prevent such an 'attack.' It can password protect each entry of your boot menu.

GRUB allows a user to boot into single-user mode from the GRUB menu. Single-user mode is the first interactive runlevel in Linux systems, where only one user -- the root users -- is allowed access. You can boot into single-user mode without providing any passwords -- clearly a security threat.

Try it out for yourself. Press 'e' when the GRUB menu shows up to enter the edit mode. Scroll down to the line that begins with kernel and press 'e' again to edit this line. Type s at the end of the line and press Enter to exit the edit mode. Now press 'b' to boot into the single-user mode of your distribution. VoilĂ , complete system access! You can do whatever you want to, including changing the root password using the passwd command.

Securing GRUB

To begin securing the boot menu, first generate an MD5 password. To do this, open up a terminal and enter grub to access the minimalistic GRUB shell. Type md5crypt and press Enter. You will be asked for a password. Fill in the password that you wish to use to block users from booting into single-user mode and press Enter. The encrypted password will be displayed on the screen.

grub> md5crypt

Password: *********
Encrypted: $1$sEOFN1$dalP1fzlFCHD4saxlnNzM/


Note that the password might have a dot or a slash (/) at the end of the encrypted string; this is part of the encrypted password. Copy the encrypted password and exit the GRUB shell by pressing Ctrl-c.

If you find the process of running a GRUB shell and then running md5crypt too cumbersome, you can just run the command grub-md5-crypt from your terminal.

You now need to edit your GRUB configuration file, which you can find at /boot/grub/menu.lst. Scroll down to the distribution section that you wish to password protect. Add a new line containing password --md5 PASSWORD at the end of the distribution section. Replace PASSWORD with the encrypted password you created with md5crypt. Here is my menu.lst file:

# Start GRUB global section
#timeout 30
color light-gray/blue black/light-gray
# End GRUB global section

# Other bootable partition config begins
title Forbidden (on /dev/hda1)
rootnoverify (hd0,0)
chainloader +1
# Other bootable partition config ends

# Linux bootable partition config begins
title Ubuntu Breezy (on /dev/hda2)
root (hd0,1)
kernel /boot/vmlinuz-2.6.12-9-386 root=/dev/hda2 ro vga=790
initrd /boot/initrd.img-2.6.12-9-386
password --md5 $1$sEOFN1$dalP1fzlFCHD4saxlnNzM/
# Linux bootable partition config ends

# Linux bootable partition config begins
title Puppy Linux (on /dev/hda6)
root (hd0,5)
kernel /boot/vmlinuz root=/dev/hda6 ro vga=790
password --md5 $1$hvCFN1$KU8fI1kGYMdehB1mZfALR

Notice the password line at the end of the section for Ubuntu. Whenever I try to boot into Ubuntu, GRUB asks for a password. Additionally, when I try to edit this entry from the GRUB menu, I cannot do so without the password.

You can create separate passwords for each entry in your GRUB menu, as I have done above. Each distribution entry should have its own password --md5 PASSWORD line at the end of its section.

What about LILO?

The other popular bootloader, LInux Loader or LILO, also allows users to boot into single-user mode, and it too has a password protection feature. But while GRUB allows for MD5 encrypted passwords, LILO manages only text passwords, which anyone can read from the lilo.conf file with the command cat /etc/lilo.conf.

Shashank Sharma is studying for a degree in computer science. He specializes in writing about free and open source software for new users.


  • Security
Click Here!