Securing Grub 2
5 views
Skip to first unread message
Billy Ayotte
Jul 12, 2012, 10:19:33 AM7/12/12
to open1to1discussion
I haven't actually downloaded the image, yet. But I would like to make
sure some protection is enabled in grub as I have some very smart
students that are able to get root access by altering the boot menu.
This worked even with single user mode locked down. Deny them access
to the menu and it solves a lot of problems. The real issue is doing
this via the imager and not on the image itself. Also the password
encryption bit at the end is very important, but very easy too.
The only way I can think of doing this without a package on the laptop
is to chroot the deployed image after deployment and create the line
in "/etc/grub.d/40_custom" then run update-grub. If the line is just
declaring the super user and not tied to a specific entry it should
lockout the entire edit menu. The line to add should be:
set superuser="<username of choice>"
password pbkdf2 <username of choice> grub.pbkdf2.really long
number.more long numbers
The really password is created by grub-mkpasswd-pbkdf2. It doesn't
automatically create the user and password in the correct location.
You will need to copy the output and place it into the 40_custom file
manually. I can put this into a script pretty easily but I write bash
mostly and my python is... rough. The link below has some example
scripts and documentation on how to do this.
https://help.ubuntu.com/community/Grub2/Passwords
sure some protection is enabled in grub as I have some very smart
students that are able to get root access by altering the boot menu.
This worked even with single user mode locked down. Deny them access
to the menu and it solves a lot of problems. The real issue is doing
this via the imager and not on the image itself. Also the password
encryption bit at the end is very important, but very easy too.
The only way I can think of doing this without a package on the laptop
is to chroot the deployed image after deployment and create the line
in "/etc/grub.d/40_custom" then run update-grub. If the line is just
declaring the super user and not tied to a specific entry it should
lockout the entire edit menu. The line to add should be:
set superuser="<username of choice>"
password pbkdf2 <username of choice> grub.pbkdf2.really long
number.more long numbers
The really password is created by grub-mkpasswd-pbkdf2. It doesn't
automatically create the user and password in the correct location.
You will need to copy the output and place it into the 40_custom file
manually. I can put this into a script pretty easily but I write bash
mostly and my python is... rough. The link below has some example
scripts and documentation on how to do this.
https://help.ubuntu.com/community/Grub2/Passwords
Reply all
Reply to author
Forward
Message has been deleted
0 new messages