Grub 2 Password Protection

[drs305]

Hey,

I have a little problem. I need to restart my root password on Ubuntu (GRUB 1.98)

I've followed instructions elsewhere, but it hasn't worked so far. Others basically said I should edit the kernel line that begins: init=

... but I simply don't have it here.

Thanks for any advice,

Grub is a universal loader that doesn't deal with OS specific passwords. While you can add kernel options to the "linux" line in the menuentry (such as quiet, splash, nomodeset, etc I am not aware of the option that would deal with Ubuntu's root password settings. If you found one, it would be placed on the GRUB_CMDLINE_LINUX_DEFAULT="" line of /etc/default/grub.

Here is one list of available kernel options:
http://www.kernel.org/doc/Documentat...parameters.txt

[ranch hand]

Hey,

I have a little problem. I need to restart my root password on Ubuntu (GRUB 1.98)

I've followed instructions elsewhere, but it hasn't worked so far. Others basically said I should edit the kernel line that begins: init=

... but I simply don't have it here.

Thanks for any advice,

If you mean that you must reset your root password take a look at;

Code:

man passwd

You will need to have a live CD (or another install on your box) and chroot to your install to use the commands to change a root pass word.

[snooffy]

This is exactly what I was looking for, protected all entries for recovery.

I'm using GRUB 1.98 on Lucid Lynx and this guide worked flawlessly.

Thanks a lot!

The question is, if someone would boot up the machine from a live CD will the still be able to change the GRUB configuration files and gain the root access that way?

[drs305]

The question is, if someone would boot up the machine from a live CD will the still be able to change the GRUB configuration files and gain the root access that way?

Yes they would. Physical access to a computer normally trumps security measures.

You could add a BIOS password (if your BIOS allows it) so that access to any OS or CD is restricted, adding an extra level of security.

[georgemc]

DRS305: Thank you for this excellent guide.


I can confirm that this all works with GNU GRUB version 1.99-9


I also used this as a reference:


http://www.gnu.org/software/grub/manual/html_node/index.html


Section:
15 Authentication and authorisation
21 Invoking grub-mkpasswd-pbkdf2


Straying a little from your guide, I added this at the end of 00_header:

Code:

 cat <<EOF
     set superusers="root"
     password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
 EOF

For the “biglongstring” use “password_pbkdf2” and cut&paste.


And then I changed the menuentry's in 10|20|30 files to:

Code:

 printf "menuentry –users '' '${title}' ${CLASS} {\n" "${os}" "${version}"
 and
 menuentry –users “” "${LONGNAME} (${2}-bit) (on ${DEVICE})" {

You need to be careful with your quoting, inside the printf statement you need to use single quotes.


By giving a “NULL string” to the “–users” options you only need to change the 00_header file when you change the password and then run update-grub.


On a multi-boot setup your can have different users for the different OS's, therefore the idea to sync the passwords up with the password file is definitely worth while to look into.


Of course all of this can be by-passed by simply using a CD/DVD like “super grub”, “plop”, or a “live CD”. Again the old adage “physical access = root access” applies. However, I fell it adds yet another layer to the onion called “security”; let them work for the access.


Happy to contribute.


George

[drs305]

I can confirm that this all works with GNU GRUB version 1.99-9

Happy to contribute.

George

Thanks for the information. Good to know it still works in 1.99.

I'll try to digest your post and update the original post (with credit of course) if needed.

Update: Revised Section 7 on encrypted passwords.

[ignisterra]

I am new and it's been a long time there was no comment on this topic but I have a little question on the section about how to secure "Recovery Entries" for linux.

Password protect the Recovery Mode option: /etc/grub.d/10_linux Also make the change as described in the /etc/grub.d/00_header section above.
From (GNU GRUB 1.98-1ubuntu5):
Quote:
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
To:
Quote:
if ${recovery} ; then
printf "menuentry '${title}' --users user1 ${CLASS} {\n" "${os}" "${version}"
else
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
fi

I've changed the line printf "menuentry ... by the others but it doesn't work.
It was written: printf "menuentry '${title}' --users user1 ${CLASS} {\n" "${os}" "${version}" but I wonder if it was rather that: printf "menuentry --users user1 '${title}' ${CLASS} {\n" "${os}" "${version}" ?

Thank you in advance.

[drs305]

ignisterra

Welcome to the Ubuntu Forums.

As you found out, this guide was written when Grub 1.98 was very young. Thanks for pointing out that things have changed a bit, even in this older version of Grub.

I booted an old copy of Lucid, which still uses Grub 1.98, and updated it to the current Grub 1.98 package.

The entry in 00_header does not appear to have changed, however the 10_linux entry is indeed a bit different now.

This is what I show as the default Grub 1.98 /etc/grub.d/10_linux default entry linux (approximately line 70).

if ${recovery} ; then
title="$(gettext_quoted "%s, with Linux %s (recovery mode)")"
else
title="$(gettext_quoted "%s, with Linux %s")"
fi
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

I wasn't sure about the exact format of your suggestion, so I just did some experimenting. The way I got it to work was to edit the "printf" line to include the user, add the that line in each conditional section, and remove it from the end. This is what worked for me (for user drs305):

if ${recovery} ; then
title="$(gettext_quoted "%s, with Linux %s (recovery mode)")"
printf "menuentry '${title}' ${CLASS} --users drs305 {\n" "${os}" "${version}"
else
title="$(gettext_quoted "%s, with Linux %s")"
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
fi

Don't forget to update-grub, and if you need to make sure you are using Grub 1.98 just run "grub-install -v".

If this works for you please let me know and I'll update the first post.

[drs305]

Thread Closed.

This page has been migrated to the Ubuntu Community Documentation site. For the most up-to-date information, please visit:
https://help.ubuntu.com/community/Grub2/Passwords

The above page is a sub-page of the main community documentation regarding Grub2.

Thank you to all the users who posted in these threads and expanded our knowledge of Grub 2 since it's introduction.

A thread for discussion of the wiki can be found at http://ubuntuforums.org/showthread.php?p=12073029


Support threads regarding the wiki and it's content should be created in a suitable forum.