Protect Windows entries in Grub2 with password.

Alejandro (a.k.a KZKG^Gaara)Updated on

Comments

With a previous article we saw how to protect Grub2 so that nobody can edit it, unless it is a user with privileges.

Well, by following these simple steps we can protect any of our inputs from the Grub individually and in this way provide more security to our system. On a PC with several operating systems this is useful to prevent an intruder from accessing any of them.

Let's take as an example a computer that has installed Ubuntu 12.04 y Windows XP.

Before proceeding, make a save of the files that we are going to edit and have a LiveCD or bootable memory at hand, since in case of error we will not be able to access our computer in the normal way.

Setting Users:

For each input in Grub you can set a user, apart from the superuser (the one who has access to modify the Grub by pressing the «e» key). We will do this in the file /etc/grub.d/00_header. We open the file with our favorite editor:

$ sudo nano /etc/grub.d/00_header

At the end we put the following:

cat << EOF set superusers = "user1" password user1 password1 EOF

Where user1 is the superuser, example:

cat << EOF set superusers = "superuser" password superuser 123456 EOF

Now, to create more users we just have to add it below the line:

password superusuario 123456

It would be more or less as follows:

cat << EOF set superusers = "superuser" password superuser 123456 password user2 7890 EOF

Once we have established the users we want, we save the changes.

Protecting Windows

Before continuing with this part I have something to clarify. This article I took from me old blog, and the steps that I comment next are those that had to be carried out at the time. But today, I had to repeat them and there are small changes. I comment on them below:

Now we have to edit the file /etc/grub.d/30_os-prober. We open it with our favorite editor

$ sudo nano /etc/grub.d/30_os-prober

And we look for a line of code that says:

menuentry "${LONGNAME} (on ${DEVICE})" {

Currently the line reads:

menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {

Which is more or less on line 100 or 151 and we leave it this way:

menuentry "${LONGNAME} (on ${DEVICE})" --users manager --class windows --class os {

We save the changes and execute:

$ sudo update-grub2

Before for this to work we had to open the file /boot/grub/grub.cfg

$ sudo nano /boot/grub/grub.cfg

Find the Windows entry (something like this):

menuentry "Windows XP Profesional" {

and leave it like this:

menuentry "Windows XP Profesional" --users usuario2 {

But it is no longer necessary, because when executing the command

$ sudo update-grub2

Changes are automatically added. Restart and voila, try to enter Windows and it will ask for the passwd. If they press the «e» key, it will also ask for a password.


4 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   f3niX said
    ago 11 years

    Good post elav, I already try a greeting.!

    Reply to F3niX
    1.    elav said
      ago 11 years

      Thank you

      Reply to elav
  2.   satan AG said
    ago 11 years

    Interesting ... I'll have to try it.

    Reply to satanAG
  3.   leonardopc1991 said
    ago 11 years

    Interesting, I'll have to try one day

    Reply to leonardopc1991