GRUB: Password protection
Protect entries from being editing
Plain text passwords
To protect grub with a password put the command 'password YOUR_PASSWORD' somewhere in the beginning of /boot/grub/grub.conf, like this:
password YOUR_PASSWORD timeout 10 default saved . . .
This will disable all the options except 'boot' unless you press 'p' to enter the password. But if you have clever users they figure of the password quite easy by booting the OS and reading the password.
password --md5 MD5_SUM_OF_YOUR_PASSWORD
As you can see in the sample it is similar to the last sample except we specified "--md5" and wrote the checksum instead of the plaintext one. To get the md5 checksum of the password you can start the grub command-line tool and run 'md5'
# grub grub> md5 Password: *** Encrypted: $1$XUSFY1$bl73sNsg5vIKj//qCHvv3
You can load new entries when you typed the correct password. Just specify the name to the new menu after the 'password' command. After typing the password grub will reload itself with the new file.
password --md5 MD5_SUM_OF_YOUR_PASSWORD admin.conf
Protect entries from being booted
The 'lock' command will fail until a valid password has been entered. If the user hasn't entered one he/she won't be able to continue the execution of the entry. Place it right after the 'title' command
title Password protected OS lock root (hd0,0) kernel /kernel
Also note that this is useless unless the 'password' command is used.