Set a password on the GRUB boot loader

  • May 18, 2007
  • Avatar for peter
    Peter
    Upfold

If you're security conscious (like me) and you've got a Linux system or a dual boot system, or in fact, any setup where you've got a GRUB boot loader installed, you may well be aware that you can pass kernel arguments to the Linux kernel from the GRUB menu.

What does this mean? Well, a kernel argument instructs the kernel to do something different when it boots. For example, passing init=/bin/sh as an argument forces the first program to be loaded to be /bin/sh (which in effect gets you an instant shell with root access).

If you're running a Linux box that's physically accessible to the public, or untrusted people (or you're just plain paranoid), this might be an issue for you, because anyone could walk up to the machine, reboot it with an argument and get root access to the machine.

Thankfully, the GRUB boot loader has a handy password feature that you can enable which will require a password to be entered before any advanced options on the boot screen are enabled. Without the password, all users can do is boot a pre-selected choice.

Here's how to get it set up.

First of all, you need to think of a good password and then make an MD5 hash of the password which we store in GRUB's configuration file.

Go to a terminal and run grub:

$ grub

At the GRUB prompt, use the md5crypt command to generate a hash that we'll put in the configuration file:

grub> md5crypt

Copy down this MD5 hash that md5crypt will give you after you've entered the desired password and quit out of grub.

grub> quit

Now, use your favourite text editor to open the /boot/grub/menu.lst file (I'm using vim here, but substitute in your favourite editor). You'll need to be root, so either su - in first, or use sudo.

# vim /boot/grub/menu.lst

Anywhere before the first title statement (probably best to put it nearer the top of the file), put this:

password --md5 $1$k1iTz1$Jntjy9L9h4DP3CxA/WkE50

Replacing that last bit with the custom hash that md5crypt gave you (don't forget to replace it with yours otherwise it won't be using your password!).

Save your file and quit the editor. Now if you reboot the machine, at the boot menu you should be offered the option to press p to unlock the options. Hit p, and use your password to make sure it works. On entering the password, the advanced boot options will be enabled.

If for any reason the password didn't work, or you want to remove it, just remove the password line from /boot/grub/menu.lst and the boot menu will have all options enabled by default again.

Avatar for peter Peter Upfold

Home » Articles »