help-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Grub2 Security


From: Boyce, Kevin P. (AS)
Subject: Grub2 Security
Date: Fri, 29 May 2015 17:28:17 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

All,

I am hoping someone can help me with a grub2 configuration question. I would like to be able to secure grub menu entries from being modified. I do not want to have to enter a password to boot the system (which doesn't appear to be the current behavior of grub2 when set superusers="root" directive is used). I do not want to have to create users and associated passwords (null password is OK).

I would like everyone to be able to select either one of these two boot entries without the need for a password, but i do not want them to be able to enter command mode or edit mode in which they could boot single user mode (my Rescue enviroment is being customized for recovery purposes).

My bootloader and configuration will be permanently installed in a read-only device like ROM and never changed. I use the configfile directive to point to the real bootloader configuration on a different device I want to use.

Here is my current config file, documentation on grub2 security seems a little lacking. I recall being able to achieve this behavior by using the lock directive in legacy-grub.
Any help would be appreciated.

Thanks,
Kevin

# Load GPT Partition Support
insmod part_gpt

# Load XFS File System Support
insmod xfs

# Load EXT File System Support
insmod ext2

# Set a timeout before we pick the default
set timeout=7

# Set the default boot entry
set default="0"
set fallback="1"

# Don't want any accounts that can bypass either one of these two entries
set superusers=""

# Default boot entry redirecting to config file on RAID
# Secure without granting users permission to modify
menuentry "Redirect Boot to RAID Device" --users "" {
    search --no-floppy --set=root --label RAID
    configfile /.firmware/boot.cfg
}

# Create an entry for loading troubleshooting environment
# Secure without granting users permission to modify this entry
menuentry "Rescue" --users "" {
    search --no-floppy --set=root --label RESCUE
    linux /vmlinuz rescue
    initrd /initrd.img
}



reply via email to

[Prev in Thread] Current Thread [Next in Thread]