GRUB: Password protection

From Sidvind
Jump to: navigation, search

Protect entries from being editing[edit]

Plain text passwords[edit]

To protect grub with a password put the command 'password YOUR_PASSWORD' somewhere in the beginning of /boot/grub/grub.conf, like this:

File: /boot/grub/grub.conf
timeout 10
default saved

This will disable all the options except 'boot' unless you press 'p' to enter the password. But if you have clever users they figure of the password quite easy by booting the OS and reading the password.

Encrypted passwords[edit]

File: /boot/grub/grub.conf
password --md5 MD5_SUM_OF_YOUR_PASSWORD

As you can see in the sample it is similar to the last sample except we specified "--md5" and wrote the checksum instead of the plaintext one. To get the md5 checksum of the password you can start the grub command-line tool and run 'md5'

Code: Example
# grub
grub> md5 
Password: ***
Encrypted: $1$XUSFY1$bl73sNsg5vIKj//qCHvv3

Loading a new menu[edit]

You can load new entries when you typed the correct password. Just specify the name to the new menu after the 'password' command. After typing the password grub will reload itself with the new file.

File: /boot/grub/grub.conf
password --md5 MD5_SUM_OF_YOUR_PASSWORD admin.conf

Protect entries from being booted[edit]

The 'lock' command will fail until a valid password has been entered. If the user hasn't entered one he/she won't be able to continue the execution of the entry. Place it right after the 'title' command

File: /boot/grub/grub.conf
title Password protected OS
root (hd0,0)
kernel /kernel

Also note that this is useless unless the 'password' command is used.