With a previous article we saw how to protect Grub2 so that nobody can edit it, unless it is a user with privileges.
Well, by following these simple steps we can protect any of our inputs from the Grub individually and in this way provide more security to our system. On a PC with several operating systems this is useful to prevent an intruder from accessing any of them.
Let's take as an example a computer that has installed Ubuntu 12.04 y Windows XP.
Setting Users:
For each input in Grub you can set a user, apart from the superuser (the one who has access to modify the Grub by pressing the «e» key). We will do this in the file /etc/grub.d/00_header. We open the file with our favorite editor:
$ sudo nano /etc/grub.d/00_header
At the end we put the following:
cat << EOF set superusers = "user1" password user1 password1 EOF
Where user1 is the superuser, example:
cat << EOF set superusers = "superuser" password superuser 123456 EOF
Now, to create more users we just have to add it below the line:
password superusuario 123456
It would be more or less as follows:
cat << EOF set superusers = "superuser" password superuser 123456 password user2 7890 EOF
Once we have established the users we want, we save the changes.
Protecting Windows
Before continuing with this part I have something to clarify. This article I took from me old blog, and the steps that I comment next are those that had to be carried out at the time. But today, I had to repeat them and there are small changes. I comment on them below:
Now we have to edit the file /etc/grub.d/30_os-prober. We open it with our favorite editor
$ sudo nano /etc/grub.d/30_os-prober
And we look for a line of code that says:
menuentry "${LONGNAME} (on ${DEVICE})" {
Currently the line reads:
menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {
Which is more or less on line 100 or 151 and we leave it this way:
menuentry "${LONGNAME} (on ${DEVICE})" --users manager --class windows --class os {
We save the changes and execute:
$ sudo update-grub2
Before for this to work we had to open the file /boot/grub/grub.cfg
$ sudo nano /boot/grub/grub.cfg
Find the Windows entry (something like this):
menuentry "Windows XP Profesional" {
and leave it like this:
menuentry "Windows XP Profesional" --users usuario2 {
But it is no longer necessary, because when executing the command
$ sudo update-grub2
Changes are automatically added. Restart and voila, try to enter Windows and it will ask for the passwd. If they press the «e» key, it will also ask for a password.
Good post elav, I already try a greeting.!
Thank you
Interesting ... I'll have to try it.
Interesting, I'll have to try one day