Protecting GRUB

Protecting GRUB

I stumbled across this neat “little” security tool that runs a bunch of checks on your system and warns if any potentials problems are detected. It is called Lynis and on arch you can install it by executing:

pacman -S lynis

then

lynis audit system

To start an audit of your system.
It told me a number of things, but one caught my attention: “GRUB password protection”.

Now why is this important? Well you could restrict users from booting certain OS’s or recovery’s you might have set up, but for me the important thing was to protect the editing of grub entries. Just by adding an “S” or a “1” to the grub line, you can boot into single user mode and become root. Something you might want to avoid.

So how to do all this, the arch wiki explains it quite well (as most things).

# Generate a grub password hash
grub-mkpasswd-pbkdf2

# Edit the grub cfg generator files
vim /etc/grub.d/40_custom

# Add
set superusers="username"
password_pbkdf2 username 
# Where  is the generated string 

# Then regenerate grub.cfg
grub-mkconfig -o /boot/grub/grub.cfg

With these setting, booting any OS should now be protected.

Now how to only restrict editing? Adding –unrestricted to a menu entry will allow any user to boot the OS while preventing the user from editing the entry and preventing access to the grub command console. Only a superuser or users specified with the –user switch will be able to edit the menu entry.

So lets try this:

# I added --unrestricted to 
vim /etc/grub.d/10_linux

# Look for the first CLASS=
# Add --unrestricted to the string

# generate grub.cfg
grub-mkconfig -o /boot/grub/grub.cfg

# then make sure you check the generated file
vim /boot/grub/grub.cfg

You can fine tune this by adding it to the grub.cfg file (look for each “menuentry”) but I wanted to make it survive a grub-mkconfig and I don’t have any other linux menu entries to worry about, but if you do, this might not be the solution for you.

I tried to add it to /etc/default/grub, but didn’t find anything that could be used for this in there.

NOTE: My keyboard layout was “querty” instead of “azerty”, bare that in mind when typing your password.

Update

To make the “–unrestricted” survive a grub update edit /etc/grub.d/10_linux. Look at line 99 (this may differ on your Linux distro) and add the unrestricted flag after the class:

...
else
  echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted ...
fi
...

After that run

grub-mkconfig -o /boot/grub/grub.cfg

and check the result (vim /boot/grub/grub.cfg) before rebooting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.