The goal that is to be achieved is the securing of Grub, that is, preventing standard users to fiddle with its terminal, edit its command lines, or enter the much-powerful recovery mode.

A fresh Quantal install was performed, which is the only operating system to be installed, and BIOS and the boot order and been taken care of, in addition to limiting users to "standard" accounts. (Physical machine intrusions are in this case not to be worried about, for it to be noted.)

https://help.ubuntu.com/community/Grub2/Passwords
http://www.gnu.org/software/grub/man.../Security.html

Beside the information contained in the above resources, it is to be noted password encryption in such a case seems unjustified, as whenever "sudo update-grub" is ran while a plaintext password is present in the "/etc/grub.d/40_custom" file, the "grub.cfg" file is rendered unreadable to standard users, which of course are lacking administrative passwords.

The objective is to design a future-proof-enough method to make it so that, even after release upgrades, and various system updates, the users are able to boot in Ubuntu without problem, although the single-user, or other such modes, are locked to them.

I have fiddled for quite a time, although I am resorting to your help to continue progressing, as progress is tedious over here.

I have edited the "40_custom file," so that official Ubuntu Grub and kernel updates would not be breaking anything, or in other words so that the system continues both to be bootable and to be protected against the most curious minds, to that effect. Ideally the system would boot straight to Ubuntu, without even prompting for a password at the Grub level, all the while password-protecting related entries and settings, although I am having difficulty at doing so.

What I have tried is gksudo-editing the "/etc/grub.d/40_custom" file through gedit, adding the following lines:

Code:
set superusers="admin_username"
password admin_username admin_password
although it seems a standard username and a corresponding password also has to be set up, then associated to the default "Ubuntu" entry only, so as for standard users to be able to enter the default "Ubuntu" entry.

I am having problems. I am hoping some of you would be able to guide me in such a way to shed light on some of these issues. What would be the simplest and most-future-proof method to be used in this case? Any help would be greatly appreciated.

Thanks in advance,
twipley