Without a password for the bootloader, any user can enter the kernel editing mode and make their own settings in the bootloader, in order to exclude the possibility of changing the bootloader configuration outside the booted system, we need to put our own password on it.
Of course, this will hardly save you from online attacks on the machine, but from third-party physical ill-wishers, it will completely do, (although the axis on the flash drive will come to the rescue here too)
So, when we talk about grub password protection, the main things we need to know:
Firstly , there are 2 types of users: normal user and superuser (root)
00_header and 40_custom inside the /etc/grub.d/
directory For now, we are considering clear passwords in plain text. The user is always defined with the password
keyword , followed by the username, then the password: The user can be promoted to superuser, for this we specify: This makes the user privileged and has the right to edit records. Open the file 00_header , go down to the very bottom, define the file segment " cat <<EOF EOF
password user1 gfhjkm1
set superusers="user1"
and make changes:
And to complete everything, after specifying all the parameters, we need to update the grub.cfg file for this we enter:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
============================
Of course, it is not safe to store passwords in files in clear text, for this you can use encryption, the grub-mkpasswd-pbkdf2 utility is responsible for this, in the terminal we enter:
Then in the configuration file 00_header we specify everything the same, only add the hashing algorithm _pbkdf2 to the password through the underscore :
And also after specifying all the parameters, we need to update the grub.cfg file:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
================================= =============== I
’ll superficially tell you about the 40_custom file, since I don’t see the point in editing it at home (unless there are 10 other people using the machine besides you) The 40_custom
file is located in / etc/grub.d/ file, unlike 00_header this file allows us to fix the entries and the number of these entries and clearly control which user is responsible for what:
Here, user1 can upload and edit any entry, all users have the right to upload OS_#1 and only user2 has the right to upload OS_#2
In this example, users with an open password are shown, but as in the case of 00_header , you can write encrypted PBKDF2 passwords.
It can also be written directly in grub.cfg , but in order not to clutter it up, it simply contains the path to 40_custom in its original form.
This is just one of the ways to password protect the bootloader, you can get by with "less bloodshed" and make all changes only in the grub.cfg file itself.
You can also go the other way and create a passwd file and write it to grub.cfg , there are many solutions and they are as multifaceted as Linux itself.
Of course, this will hardly save you from online attacks on the machine, but from third-party physical ill-wishers, it will completely do, (although the axis on the flash drive will come to the rescue here too)
So, when we talk about grub password protection, the main things we need to know:
Firstly , there are 2 types of users: normal user and superuser (root)
- Superuser - create bootloader entries.
- Normal user - use bootloader entries.
- normal password - which is stored in plaintext in the configuration file.
- Encrypted password - stored encrypted using the PBKDF2 caching algorithm.
00_header and 40_custom inside the /etc/grub.d/
directory For now, we are considering clear passwords in plain text. The user is always defined with the password
keyword , followed by the username, then the password: The user can be promoted to superuser, for this we specify: This makes the user privileged and has the right to edit records. Open the file 00_header , go down to the very bottom, define the file segment " cat <<EOF EOF
password user1 gfhjkm1
set superusers="user1"
and make changes:
And to complete everything, after specifying all the parameters, we need to update the grub.cfg file for this we enter:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
============================
Of course, it is not safe to store passwords in files in clear text, for this you can use encryption, the grub-mkpasswd-pbkdf2 utility is responsible for this, in the terminal we enter:
Then in the configuration file 00_header we specify everything the same, only add the hashing algorithm _pbkdf2 to the password through the underscore :
And also after specifying all the parameters, we need to update the grub.cfg file:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
================================= =============== I
’ll superficially tell you about the 40_custom file, since I don’t see the point in editing it at home (unless there are 10 other people using the machine besides you) The 40_custom
file is located in / etc/grub.d/ file, unlike 00_header this file allows us to fix the entries and the number of these entries and clearly control which user is responsible for what:
Here, user1 can upload and edit any entry, all users have the right to upload OS_#1 and only user2 has the right to upload OS_#2
In this example, users with an open password are shown, but as in the case of 00_header , you can write encrypted PBKDF2 passwords.
It can also be written directly in grub.cfg , but in order not to clutter it up, it simply contains the path to 40_custom in its original form.
This is just one of the ways to password protect the bootloader, you can get by with "less bloodshed" and make all changes only in the grub.cfg file itself.
You can also go the other way and create a passwd file and write it to grub.cfg , there are many solutions and they are as multifaceted as Linux itself.