|
We normally spend a good part of our time on prevent unauthorized access to our teams: we configure firewalls, user permissions, ACL, create secure passwords, etc .; but we rarely remember protect the startup of our equipment.
If a person has physical access to the computer, they can restart it and change GRUB parameters to gain administrator access to the computer. Simply add a '1' or 's' to the end of the GRUB 'kernel' line to get that kind of access. |
To avoid this, GRUB can be protected by using a password, so that if it is not known, it is not possible to modify its parameters.
If you have the GRUB boot loader installed (which is most common if you use the most popular Linux distributions), you can protect each entry in the GRUB menu with a password. In this way, every time you choose an operating system to boot, it will ask you for the password you have specified in order to boot the system. And as a bonus, if your computer is stolen, intruders won't be able to access your files. Sounds good, right?
GRUB 2
For each Grub entry, a user can be established with privileges to modify the parameters of the entries that GRUB appears when the system starts, apart from the superuser (the one who has access to modify Grub by pressing the “e” key). We will do this in the file /etc/grub.d/00_header. We open the file with our favorite editor:
sudo nano /etc/grub.d/00_header
At the end paste the following:
cat < < EOF
set superusers=”user1″
password user1 password1
EOF
Where user1 is the superuser, example:
cat < < EOF
set superusers=”superuser”
superuser password 123456
EOF
To create more users, add them below:
superuser password 123456
It would look more or less as follows:
cat < < EOF
set superusers="superuser"
superuser password 123456
password user2 7890
EOF
Once we have established the users we want, we save the changes.
Protect Windows
To protect Windows, you must edit the file /etc/grub.d/30_os-prober.
sudo nano /etc/grub.d/30_os-prober
Look for a line of code that says:
menuentry "$ {LONGNAME} (on $ {DEVICE})" {
It should look like this (superuser being the name of the superuser):
menuentry "$ {LONGNAME} (on $ {DEVICE})" –users superuser {
Save the changes and run:
sudo update-grub
I opened the file /boot/grub/grub.cfg:
sudo nano /boot/grub/grub.cfg
And where is the Windows entry (something like this):
menuentry "Windows XP Professional" {
change it to this (user2 being the name of the user who has access privileges):
menuentry "Windows XP Professional" –users user2 {
Reboot and go. Now, when you try to enter Windows it will ask you for the password. If you press the "e" key, it will also ask for the password.
Protect Linux
To protect the Linux kernel entries edit the file /etc/grub.d/10_linux, and look for the line that says:
menuentry "$ 1" {
If you only want the superuser to be able to access it, it should look like this:
menuentry "$ 1" –users user1 {
If you want a second user to be able to access:
menuentry "$ 1" –users user2 {
You can also protect the entry from the memory check, by editing the /etc/grub.d/20_memtest file:
menuentry "Memory test (memtest86 +)" –users superuser {
Protect all entries
To protect all entries run:
sudo sed -i -e '/ ^ menuentry / s / {/ –users superuser {/' /etc/grub.d/10_linux /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober / etc / grub.d / 40_custom
To undo this step, run:
sudo sed -i -e '/ ^ menuentry / s / –users superuser [/ B] {/ {/' /etc/grub.d/10_linux /etc/grub.d/20_memtest86+ /etc/grub.d/30_os- prober /etc/grub.d/40_custom
GRUB
Let's start by opening the GRUB environment. I opened a terminal and wrote:
grub
Then, I entered the following command:
md5crypt
It will ask you for the password you want to use. Type it and perison Enter. You will get an encrypted password, which you have to keep very carefully. Now, with administrator permissions, I opened the /boot/grub/menu.lst file with your favorite text editor:
sudo gedit /boot/grub/menu.lst
To put the password to the GRUB menu entries that you prefer, you have to add the following to each of the entries you want to protect:
password --md5 my_password
Where my_password would be the (encrypted) password returned by md5crypt: Before:
title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
root (hd1,2)
kernel /boot/vmlinuz-2.6.8.1-2-386 root = / dev / hdb3 ro single
initrd /boot/initrd.img-2.6.8.1-2-386
After:
title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
root (hd1,2)
kernel /boot/vmlinuz-2.6.8.1-2-386 root = / dev / hdb3 ro single
initrd /boot/initrd.img-2.6.8.1-2-386
password –md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs
Save the file and reboot. That easy! To avoid, not only that a malicious person can change the configuration parameters of the protected entry, but also cannot even start that system, you can add a line in the "protected" entry after the title parameter. Following our example, it would look something like this:
title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
lock
root (hd1,2)
kernel /boot/vmlinuz-2.6.8.1-2-386 root = / dev / hdb3 ro single
initrd /boot/initrd.img-2.6.8.1-2-386
password –md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs
The next time someone wants to start that system, they will have to enter the password.
Source: delanover & makeuseof & Ubuntu Forums & elavdeveloper
Hello, I want help, please, I want to protect the kernel of my android system with a password because if the device is stolen, they change the ROM and I could never recover it! If you can help me ... I have superuser access, but I want it to ask me for a pass when you put the device in download mode. Thanks in advance.
Excellent contribution. Subscribed