Posts tagged grub

Debian GRUB 1 and 2 with password (UPDATED)

0
2 years ago
by olafrv in ,
Share|

In Debian Lenny (Stable) the GRUB 2 version is 1.96 and is still without password support.

If you install a more recent version from Debian Squeeze (Testing) such as 1.97, which comes with password support.

*** This script is intented GRUB version > 1.96, but please test it before use on production systems ***

?View Code BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

 
###
# FILE: grubpw2.sh (June 1th, 2011)
# USAGE: Set GRUB 1 and 2 superuser (root) password,
#        must be run manually after each kernel upgrade.
# AUTHOR: Olaf Reitmaier Veracierta <olafrv@gmail.com>
# REFERENCE: http://www.gnu.org/software/grub/manual/
# LICENSE: GNU/GPL v3 or superior
##
 
###########################
# CHANGE THIS AS YOU NEED #
###########################
 
# GRUB 1 (0.X) password (Generated with grub-md5-crypt)
 
# Escape this string or bash mess it up!!!
grubpw="\$1\$whX1i\/\$J7lwipZAl3BkaM9b\/DlEB\."
grubcf=/boot/grub/menu.lst
 
# GRUB 2 (1.X) password
 
GRUBPW="t0r0nd0y++"
GRUBCF=/boot/grub/grub.cfg
 
################################################################
# Do not edit any line bellow unless you what you're doing !!! #
################################################################
 
if [ ! -z "$1" ] && [ "$1" != "disable" ]
then
	echo "Usage ./grubpw.sh [disable]" 1>&2
	exit 1
fi
 
g1ok=`grub-setup --version | grep "0." | wc -l`
 
if [ $g1ok -eq 0 ] 
then
	echo "GRUB version 1" 1>&2
 
	if [ "$1" == "disable" ]
	then
		sed -i /"^#\s*password.*$"/d $grubcf
      sed -i /"^\s*password.*$"/d $grubcf
	else
  	   sed -i /"^#\s*password.*$"/d $grubcf
      sed -i /"^\s*password.*$"/d $grubcf
 	   sed -i "1i\password --md5 $grubpw" $grubcf
	fi
else
 
	g2ver=`grub-setup --version | grep "1." | cut -d"." -f2 | cut -d"+" -f1`
 
	if [ $g2ver -gt 96 ]
	then
		echo "GRUB version 2" 1>&2
 
		if [ "$1" == "disable" ]
		then
			rm /etc/grub.d/01_password
		else
			cat > /etc/grub.d/01_password << DATA
cat << EOF
# This is the superuser for grub editing!!
set superusers="root"
password root $GRUBPW
EOF
DATA
			chmod 750 /etc/grub.d/01_password
 
		fi
 
		update-grub
		chown root:root $GRUBCF
		chmod 600 $GRUBCF
 
		if [ "$1" == "disable" ]
		then
			sed -i -e '/^menuentry /s/ --users .* {/ {/' $GRUBCF
		else
			sed -i -e '/^menuentry /s/ {/ --users root {/' $GRUBCF
		fi
 
	fi
fi

Securing GRUB Essentials

1
2 years ago
by olafrv in , ,
Share|

What is GRUB?

GRUB stands for GRand Unifier Bootloader, to get it on your system you must install package grub or grub2, GRUB is the replacement for largely used but unscalable LILO (LInux LOader) and alternative for SILO (Solaris Improved Bootloader).



GRUB Boot Menu

GRUB Loading and Booting Sequence

  1. The BIOS searches for a start (bootable, flag B on partition table) then passes the control to the MBR (Master Boot Record) which is a 512 bytes area of the (bootable) hard disk (or other device) and is part of the stage 1 of GRUB.
  2. The stage 1 of GRUB loads the next stage of GRUB located phisically in any part the harddisk (or other device). This stage can load the stage 1.5 or 2.
  3. The stage 1.5 of GRUB located in the next 30 kbytes of the harddisk loads the stage 2. In GRUB version 2 this stage is gone!!!.
  4. The stage 2 of GRUB (loaded by former stages 1 or 1.5) takes the control and present the boot menu to the user
  5. Finally, GRUB load the compiled kernel image selected by the user in the memory and pass the control to it.

General Security Considerations

  1. Check your installed GRUB version with the command: grub –version
  2. Use at least an overall password for each server.
  3. Add an additional maintenance (single mode) menu entry with a entry password
  4. Don’t use plain text password (hash your password)
  5. Don’t allow auto boot for securing and monitoring reasons (it could be a headache if you don’t in site support).
  6. Allow only root modification of menu.lst (or grub.cfg) files (chmod 600 && chown root:root)
  7. Install GRUB in MBR of hd0 (first harddisk).

GRUB Version <=1 (0.97)

First you have to consider the following things:

  • Edit manually the file /boot/grub/menu.lst (or grub.cfg)
  • You add/change GRUB meny entries modifiying the file /boot/grub/menu.lst
  • After modification you must execute update-grub or grub-install /dev/sda.
  • You can generate and overall password or on a per menu entry basis for menu edition, booting and other task in a userless way, using the grub-md5-crypt to generate password hashes.

    Here is an example of the /boot/grub/menu.lst file in which there is an 123456 password for overall GRUB access and a password for Windows Vista menu entry:

    ?View Code BASH
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

    default		0
timeout		5
color cyan/blue white/blue
password --md5 $1$7DuKc/$dRXPv28NnkeexF7Fb9w0Q/
 
title		Debian GNU/Linux, kernel 2.6.30-bpo.1-686
  root		(hd0,0)
  kernel		/vmlinuz-2.6.30-bpo.1-686 root=/dev/mapper/interno-raiz ro quiet
  initrd		/initrd.img-2.6.30-bpo.1-686
 
title		Debian GNU/Linux, kernel 2.6.30-bpo.1-686 (single-user mode)
  root		(hd0,0)
  kernel		/vmlinuz-2.6.30-bpo.1-686 root=/dev/mapper/interno-raiz ro single
  initrd		/initrd.img-2.6.30-bpo.1-686
 
title		Windows Vista/Longhorn (loader)
  password --md5 $1$7DuKc/$dRXPv28NnkeexF7Fb9w0Q/
  root		(hd0,2)
  savedefault  
  makeactive
  chainloader	+1

    GRUB Version <=2 (1.9)

    First you have to consider the following things:

    1. Don’t edit manually the file /boot/grub/grub.cfg (grub.cfg)
    2. You add new GRUB meny entries modifiying the file /etc/grub.d/40_custom
    3. You can modify existing entries modifiying the files in /etc/grub.d/*
    4. The grub.cfg file is autorecreated when running grub-mkconfig after all modifications.
    5. After running grub-mkconfig you must run grub-install /dev/sda.
    6. At least for now (31/12/2009) grub-mkpasswd_pbkdf2 to encrypt password is experimental an buggy, and not recommended for production enviroments.

    NOTE: The /dev/sda is taken from the “(hd0) /dev/sda” line from /boot/grub/device.map, hd0 is the first disk or the disk where (hd1, hd0, etc) where GRUB was installed (or must be installed).

    The /etc/grub.d/40_custom example below, shows how to allow the user1 to edit, modifiy or boot any menu entry (including those from other /etc/grub.d/* files) and just to such operations on the custom entry (Single) to the user2, also note the user1 and user2 are not operating system users and password are not encrypted:

    ?View Code BASH
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

    #!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
 
set superusers="user1"
password user1 123456
password user2 ABCDEF
 
menuentry "Ubuntu, Linux 2.6.31-14-generic (Single Mode)" --user user2 {
        recordfail=1
        if [ -n ${have_grubenv} ]; then save_env recordfail; fi
	set quiet=1
	insmod ext2
	set root=(hd0,5)
	search --no-floppy --fs-uuid --set 6a17920e-57f9-4875-a06e-9f356ca724ce
	linux	/boot/vmlinuz-2.6.31-14-generic root=UUID=6a17920e-57f9-4875-a06e-9f356ca724ce ro quiet splash single
	initrd	/boot/initrd.img-2.6.31-14-generic
}
    • Go to Top
    ?>