Setting a Password for the Boot Manager GRUB
Support knowledgebase (fhassel_grub_password)
Applies to
SuSE Linux: Versions since 8.1
Subject
How to set a password for the boot manager GRUB in order to block the interactive menu of GRUB and/or
prevent certain operating systems from the selection list from being booted.
Procedure
As the boot manager GRUB directly supports many file systems, the hard disk contents can
be accessed during booting. For example, even files that Linux users without root permissions
will not be able to access after the Linux system has started can be viewed at this stage (see "The Boot Manager Grub" (http://sdb.suse.de/en/sdb/html/fhassel_grub_overview.html)).
This access can be prevented by means of a password.
Blocking the Interactive Functions Only (All Operating Systems Can Be Booted as Usual)
Using YaST2 is the easiest way to set up a password query.
Start the YaST2 Control Center and enter the following menu:
- System -->
- Bootloader configuration
- Modify current configuration
In this menu you can first determine where to install GRUB: in the Master Boot Record (MBR) of the
first hard disk, on a floppy disk, in the boot sector of the boot partition or the root partition, or in
another partition.
Press Next to proceed to the Globale Bootloader Properties dialog.
Mark Use password for booting and enter the password twice.
Press Next to proceed to the configuration of the Sections table, which you can
skip by pressing Next.
Select Save current configuration and press Finish in order to save the
modifications to the hard disk. The execution of GRUB commands at the boot prompt is now protected.
It will only be released after entering "p" and the password. However, all operating systems
listed in the selection menu of the boot loader can still be booted by all users.
Locking Operating System Entries
Additionally, if you want to block the selection of individual entries in the boot menu, the file
/boot/grub/menu.lst must be edited manually. Open this file in an ASCII editor of
your choice (as root). The word title introduces the sections for booting the individual
operating systems. Example:
title linux
kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791
initrd (hd0,4)/initrd
title windows
root (hd0,0)
makeactive
chainloader +1
title floppy
root (fd0)
chainloader +1
title failsafe
kernel (hd0,4)/vmlinuz.shipped root=/dev/hda7 ide=nodma apm=off acpi=off vga=normal nosmp maxcpus=0 3
initrd (hd0,4)/initrd.shipped
If you want to prevent a certain entry from being booted by unauthorized individuals,
insert the word lock under the respective section. Example:
title linux
kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791
initrd (hd0,4)/initrd
lock
The changes will be adopted when the file is saved.
In this example, this Linux entry can only be booted if the password is entered. Following a
reboot, if this entry is selected from the boot menu, the following message will appear:
Error 32: Must be authenticated
Press the Enter key to go to the menu in which you can enter the password by pressing
p. The locked operating system entries can now be booted.
Inserting the Password Manually
If you do not want to use YaST2 to insert the password, proceed as follows:
In order to encrypt the password for increased security, execute the command
grub-md5-crypt in a shell (as root). You will be asked for the password. After the
password is entered, it will be displayed in encrypted form:
linux:~ # grub-md5-crypt
Password:
$1$xmY1T/$wL6rbH2VC2L3ITFGiveLq.
Append this string to the global section of the file /boot/grub/menu.lst.
The option that needs to be appended is password --md5. The section might
look as follows:
gfxmenu (hd0,0)/message
color white/green black/light-gray
default 0
timeout 8
password --md5 $1$xmY1T/$wL6rbH2VC2L3ITFGiveLq.
The changes will be adopted when the file is saved.
See also:
The Boot Manager Grub
The Boot Loader Concept in SuSE Linux 8.1
Keywords: PASSWORD, BOOT, GRUB
Categories:
GRUB
SDB-fhassel_grub_password, Copyright SuSE Linux AG, Nürnberg, Germany
- Version: 24. Sep 2002
SuSE Linux AG - Last generated: 03. Dec 2002 by glazzar (sdb_gen 1.40.0)