GRUB – improving security of GRUB
Posted in How To's by Shafkat Shahzad, M.Sc - Senior Technical Content Manager on June 12th, 2010 Welcome to the tutorial guide. The tutorial will provide a user with guidance and instructions on how to improve security of GRUB.
As a user has got an opportunity provided by GRUB to modify its configuration and run arbitrary commands at run-time. An example will explaint this. If a user can read /etc/passwd in the command-line interface by the command cat, then it is necessary to disable all the interactive operations.
GRUB provides a password feature, so that only administrators can start the interactive operations. Please note that interactive operations include editing menu entries and entering the command-line interface. If a user wants to use this feature then he/she will need to run the command password in his/her configuration file. This is as displayed below:
password –md5 PASSWORD
If this is specified, GRUB will disallow interactive control, until a user presses the key
and enter a correct password. The option –md5 tells GRUB that `PASSWORD’ is in MD5 format. If it is omitted, GRUB assumes the `PASSWORD’ is in clear text.
A user can encrypt his/her password with the command md5crypt. For example, a user can run the grub shell and enter his/her password:
grub> md5crypt
Password: ***
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.
After that a user can then cut and paste the encrypted password to the configuration file.
A user can also specify an optional argument to password. An example is profvied below:
password PASSWORD /boot/grub/menu-admin.lst
A user should now see that GRUB will load /boot/grub/menu-admin.lst as a configuration file when a user enters the valid password.
There is another issue which should be taken into account. If any user can choose any menu entry and wants to permit only administrators to run some of the menu entries, such as an entry for booting an insecure OS like DOS.
GRUB provides the command lock. This command always fails until as user enters the valid password. A user can use it as provided below:
title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1
A user should insert lock right after title, because any user can execute commands in an entry until GRUB encounters lock.
A user can also use the command password instead of lock. As the boot process will ask for the password and stop if it was entered incorrectly. Since the password takes its own PASSWORD argument this is useful if a user wants different passwords for different entries.
If you followed this tutorial guide then he/she would have learnt about how to improve security of GRUB.
