How To: Secure the GRUB Boot Loader

[munkyeetr]

NOTE: This is an older tutorial and is focused towards GRUB 0.97, not Grub2

After you have installed Ubuntu (or some other distributions that use Grub as their boot loader*), there are a few extra steps that you can take to ensure that your Linux installation is more secure.

The first section explains the insecurities of the boot menu and the second section explains how to secure it.

* ArchLinux reportedly doesn't have this issue.

1. The Problem
By default, anyone with physical access to your system has the ability to reboot the machine and gain administrative (root) access to your file system. No authentication is needed.

The GRUB boot menu you see after a clean Ubuntu install looks like this:



NOTE: You may see additional entries if you are dual-booting another operating system.

This menu acts as follows, if you select:

• the first entry (default), you will boot to your Ubuntu login screen
• the second entry (recovery mode) you will boot into a root shell, which allows you full administrative access to your system
• the third entry (memtest32+), you will boot into a memory testing application. (this entry will be ignored for the remainder of this tutorial, as I am not aware of any security issues this may pose)

There are two issues with this menu that make it insecure:

• the recovery mode entry boots into an administrative (root) shell with full access to your system. It does this with no authentication. (in the wrong hands, this could lead to stolen or deleted data, or the entire operating system could be destroyed)
• the default entry can be made as insecure as recovery mode simply by passing the word single as a kernel parameter. Again, no authentication is needed to perform this action.

How Are Kernel Parameters Passed Via The Boot Menu?
We already know that recovery mode boots into a root shell with no kernel parameters or authentication needed (if you don't believe it, give it a try), but how do we make the default entry perform the same action.

As simple as this:

1. Highlight the default entry in the boot menu
2. Press 'e' to edit boot commands
3. Highlight the line that begins "kernel /boot/vmlinuz...", and press 'e' again
4. Type " single" (that is a SPACE and the word single, without the quotation marks added to the end of the existing string)
5. Press Enter
6. Press 'b' to boot

We have just booted into an administrative (root) shell, exactly as we would have had we selected the recovery mode entry.

I have just demonstrated that, by default, anyone with physical access to your computer can gain root privileges by simply rebooting and manipulating the Grub boot menu. That's the bad news. The good news is that it is easy to fix!

2. The Fix

(NOTE: I am writing this tutorial from the perspective of an Ubuntu 7.10 user, but the premise is the same on other distributions. Feel free to substitute your favorite Command Line and Text Editor programs as needed or as you see fit.)

Boot to your desktop as normal, and open a Terminal window (Applications -> Accessories -> Terminal)

The GRUB boot menu configuration file is located at /boot/grub/menu.lst, so let's open that file up in our text editor. In the Terminal window type:

Code:

gksudo gedit /boot/grub/menu.lst

then enter your password when prompted and a file similar to this should open:

Code:

# menu.lst - See: grub(8), info grub, update-grub(8)
#            grub-install(8), grub-floppy(8),
#            grub-md5-crypt, /usr/share/doc/grub
#            and /usr/share/doc/grub-doc/.

## default num
# Set the default entry to the entry number NUM.
Numbering starts from 0, and
# the entry number 0 is the default if the command is
not used.
#
# You can specify 'saved' instead of a number. In this
case, the default entry
# is the entry saved with the command 'savedefault'.
# WARNING: If you are using dmraid do not use
'savedefault' or your
# array will desync and will not let you boot your
system.
default         0

## timeout sec
# Set a timeout, in SEC seconds, before automatically
booting the default entry
# (normally the first entry defined).
timeout         3

## hiddenmenu
# Hides the menu by default (press ESC to see the
menu)
hiddenmenu

# Pretty colours
#color cyan/blue white/blue

## password ['--md5'] passwd
# If used in the first section of a menu file, disable
all interactive editing
# control (menu entry editor and command-line)  and
entries protected by the
# command 'lock'
# e.g. password topsecret
#      password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret

#
# examples
#
# title         Windows 95/98/NT/2000
# root          (hd0,0)
# makeactive
# chainloader   +1
#
# title         Linux
# root          (hd0,1)
# kernel        /vmlinuz root=/dev/hda2 ro
#

#
# Put static boot stanzas before and/or after
AUTOMAGIC KERNEL LIST

### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers
will be modified
## by the debian update-grub script except for the
default options below

## DO NOT UNCOMMENT THEM, Just edit them to your needs

## ## Start Default Options ##
## default kernel options
## default kernel options for automagic boot options
## If you want special options for specific kernels
use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can
be omitted.
## e.g. kopt=root=/dev/hda1 ro
##      kopt_2_6_8=root=/dev/hdc1 ro
##      kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85
ro

## Setup crashdump menu entries
## e.g. crashdump=1
# crashdump=0

## default grub root device
## e.g. groot=(hd0,0)
# groot=(hd0,1)

## should update-grub create alternative automagic
boot options
## e.g. alternative=true
##      alternative=false
# alternative=true

## should update-grub lock alternative automagic boot
options
## e.g. lockalternative=true
##      lockalternative=false
# lockalternative=false

## additional options to use with the default boot
option, but not with the
## alternatives
## e.g. defoptions=vga=791 resume=/dev/hda5
# defoptions=quiet splash

## should update-grub lock old automagic boot options
## e.g. lockold=false
##      lockold=true
# lockold=false

## Xen hypervisor options to use with the default Xen
boot option
# xenhopt=

## Xen Linux kernel options to use with the default
Xen boot option
# xenkopt=console=tty0

## altoption boot targets option
## multiple altoptions lines are allowed
## e.g. altoptions=(extra menu suffix) extra boot
options
##      altoptions=(recovery) single
# altoptions=(recovery mode) single

## controls how many kernels should be put into the
menu.lst
## only counts the first occurence of a kernel, not
the
## alternative kernel options
## e.g. howmany=all
##      howmany=7
# howmany=all

## should update-grub create memtest86 boot option
## e.g. memtest86=true
##      memtest86=false
# memtest86=true

## should update-grub adjust the value of the default
booted system
## can be true or false
# updatedefaultentry=false

## should update-grub add savedefault to the default
options
## can be true or false
# savedefault=false

## ## End Default Options ##

title           Ubuntu 7.10, kernel 2.6.22-14-generic
root            (hd0,1)
kernel          /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro
quiet splash
initrd          /boot/initrd.img-2.6.22-14-generic
quiet

title           Ubuntu 7.10, kernel 2.6.22-14-generic (recovery
mode)
root            (hd0,1)
kernel          /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro
single
initrd          /boot/initrd.img-2.6.22-14-generic

title           Ubuntu 7.10, memtest86+
root            (hd0,1)
kernel          /boot/memtest86+.bin
quiet

### END DEBIAN AUTOMAGIC KERNELS LIST

(NOTE:Again, you may see additional entries if you are dual-booting another operating system.)

We won't need to worry about most of this file, but there are 2 sections that need to be edited to secure the boot loader. We will edit the password section first, but before that we must take one detour and create an encrypted password:

Select the Terminal window and open a new tab (File -> New tab).

In the new tab type:

Code:

grub

and a grub> prompt will open. At the grub> prompt type:

Code:

md5crypt

then type the password you want to use to secure your boot loader. Grub will display an encrypted string. This is your password in encrypted form.



Highlight the encrypted string, then copy (SHIFT+CRTL+C) it to the clipboard.

Then type:

Code:

quit

to exit the Grub prompt.

Now, let's go back into the menu.lst file that is open in your text editor, and find the password section that looks like this:

Code:

## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line)  and entries protected by the
# command 'lock'
# e.g. password topsecret
#      password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret

and add a new line directly below as follows (Paste the encrypted string from the clipboard (Edit -> Paste):

Code:

password --md5 <encrypted password>

where <encrypted password> is the password you created in the last section.

So, your password section should now look like this:

Code:

## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line)  and entries protected by the
# command 'lock'
# e.g. password topsecret
#      password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
password --md5 $1$xcLiO$4czPGUKIdo5e8Vi3nIpme0

Half of our problems are now fixed (or they will be once the file is saved), as you can no longer pass kernel parameters without supplying your password first.

We still need to deal with the ability to boot into recovery mode without a password because, remember...we don't need to change any kernel parameters to do that, we just select the entry and press Enter.

Here's how we fix that:
In the menu.lst file, find the menu options that looks like this (they should be at the bottom of the file):

Code:

title           Ubuntu 7.10, kernel 2.6.22-14-generic
root            (hd0,1)
kernel          /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro quiet splash
initrd          /boot/initrd.img-2.6.22-14-generic
quiet

title           Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root            (hd0,1)
kernel          /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro single
initrd          /boot/initrd.img-2.6.22-14-generic

title           Ubuntu 7.10, memtest86+
root            (hd0,1)
kernel          /boot/memtest86+.bin
quiet

### END DEBIAN AUTOMAGIC KERNELS LIST

and add the lock command to the recovery mode entry so it looks like this:

Code:

title           Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root            (hd0,1)
lock
kernel          /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro single
initrd          /boot/initrd.img-2.6.22-14-generic

The lock command requires that a password be entered before you can boot to that entry. You can add the lock command to any entry in the Boot menu if you wish to restrict who can boot to it.

Now save the menu.lst file (File -> Save) and exit (File -> Quit)

As an added precaution, it's also a good idea to change the permissions of the menu.lst file so that only root (and you through the sudo command) can view the file. By default it is readable and writeable by root (the owner), and readable by everyone else, as demonstrated by typing the following in a terminal window:

Code:

ls -la /boot/grub/menu.lst*

(NOTE: I use the * here because there is also a backup of the file in the same directory.)

To make the desired change type the following at the terminal window:

Code:

sudo chmod 600 /boot/grub/menu.lst*

Enter your password if prompted, then rerun:

Code:

ls -la /boot/grub/menu.lst*

to verify that the desired changes have been made.

3. Verifying the Changes

Congratulations, we are done securing the GRUB boot loader! Now let's reboot and look at the what a difference our changes have made.

When we reboot, we see the boot menu has changed a little



it now advises us to press Enter to boot the selected OS, or press 'p' to enter a password and unlock the next set of features. We can still boot into the default entry as normal, but we cannot add kernel parameters without first entering our password.

Likewise, if we try to boot into recovery mode without first entering our password we are greeted with an error:



which is exactly what we want to see. Now our Linux box is a little more secure (see note below) against threats by people who have physical access to our machine.

Please Note: While this procedure makes your system a little more secure it does not prevent someone who has time to physically work at your machine from getting past it. This procedure makes it harder and slows an opportunistic attacker down, but given even ten minutes unattended they can get past this by booting through a Live CD or removing the hard drive and putting it into another computer. This is meant more to prevent someone from doing damage in under 60-seconds. To slow them a even a little further make sure to remove CD from your boot options in the system BIOS. Be aware, that this can also easily be bypassed by someone who is left unattended with your computer.

While I won't cover it in this how-to, you may want to also look into disk encryption to better safeguard your data.

[kaiju]

neat idea! i'm just surprised the issue doesn't get addressed "officially".

this might be an ubuntu (or perhaps debian?) -specific problem though. i just checked on my computer (ubuntu and arch dual boot), and while ubuntu behaves just the way pointed out by you, in arch there doesn't seem to exist a way to get into any account without the appropriate password. even with the 'single' option passed to the kernel, the system will ask for the root password during bootup (it gives the choice between entering the root password or pressing ctrl+d, which makes the switch to runlevel 3, i assume, offering a standard login prompt).

i'm thinking that this is a big enough security issue that it should be corrected in the official release...

[munkyeetr]

I wonder if it is because Ubuntu doesn't actually make you create a root password, though I would think they would prompt for a valid sudo password.

I will add the Arch doesn't have this problem to the HowTo. Thanks.

[kaiju]

I wonder if it is because Ubuntu doesn't actually make you create a root password, though I would think they would prompt for a valid sudo password.

my thoughts exactly. i'm definitely no expert in this, but it does seem to have to do with not having a regular (secured) root account.
if this really is the case, i don't think it would be that big of a deal to make the user have to add a root password at setup.
(after all, the difficulty of booting ubuntu in single user mode is pretty much the same as getting into the "administrator" account in windows xp...)

edit (one week later):
it seems that a bios password is the only way to secure a computer from people with physical access to it, since a live distro will give anyone booting it on any machine root access to anything on the computer's hard drives once they're mounted.

even with that, a secure root account might be a nice idea.
or, if that is considered unimportant, perhaps it should be made clear to the users that a standard ubuntu setup gives easy access to the root account, and that this can be a security issue in some cases.

[lswest]

Nice workaround for the recovery boot option, didn't know you could lock entries. Thanks! (useful for me, since i go to school with a few other linux users, who may very well just want to mess with me )

*EDIT* Also used it to secure my recovery partition for Vista ^^ (just for those wannabe hackers that do exist at my school...)

[sammydee]

I actually always viewed being able to boot into single user mode as a feature, not a bug.

Let's face it, if someone has physical access to your pc, you're pretty much already pwned. All they need to do is stick in a boot live cd or floppy and then thery can do whatever they want anyway.

Single user mode has saved me before a couple of times when I've forgotten my password or fubared my system so badly it wouldn't even get to multiuser mode.

Sam

[milton1]

it seems that a bios password is the only way to secure a computer from people with physical access to it, since a live distro will give anyone booting it on any machine root access to anything on the computer's hard drives once they're mounted.

even a bios password will not help if someone gets physical access. Simply pulling the CMOS battery will reset bios passwords. The best you can hope for is to slow down someone with physical access, and even then, ten minutes is all a good tech needs to get into your system.

[sammydee]

I can however see how this kind of security would be very useful in something like a library or cyber cafe, where the pcs might be configured not to boot from cd or floppy drive, and nobody is likely to get ten minutes alone to break the case lock.

In this particular case, the last thing you want is to hand the users root access. I can see the point the op is making. Maybe this should be included in the Ubuntu livecd installer, at least as an option for power users?

Sam

[ukripper]

nice one with encryption!

[Ptero-4]

Wow. good ones.