Monday, April 26, 2010

Password-protect the GRUB boot loader

GRUB provide access to a boot loader command prompt. This special command prompt is used to issue commands to override the kernel's boot process for a variety of reasons. From this command prompt a user could issue commands to change the boot process and gain root access. To prevent this you need to password-protect the boot loader's command prompt.

Generate an encrypted password

deby:~# grub-md5-crypt
Password:
Retype password:
$1$97T9Y/$0y1o5CCyci7TPM5SX.2rG0
You will need to replace/ add the following to /boot/grub/menu.lst:
password -md5 $1$97T9Y/$0y1o5CCyci7TPM5SX.2rG0
This way you have locked down interactive editing in GRUB (in this case you would have to press ‘p’ key and enter the correct password to access advanced options).

Lock down specific menu entries

If you want to lock down specific menu entries so that anyone without the knowledge of the correct password cannot boot into that you should add the word lock on a separate line just after the title specification for each entry in the menu.
title     Debian GNU/Linux, kernel 2.6.26-2-686 (single-user mode)
lock
root      (hd0,0)
kernel    /boot/vmlinuz-2.6.26-2-686 root=/dev/sda1 ro single
initrd    /boot/initrd.img-2.6.26-2-686

Secure menu file

By default /boot/grub/menu.lst can be read by everyone:
deby:~# ls -l /boot/grub/menu.lst
-rw-r--r-- 1 root root 3967 2010-04-25 22:57 /boot/grub/menu.lst
Let fix that:
deby:~# chmod o-o /boot/grub/menu.lst
...
user1@deby:~$ cat /boot/grub/menu.lst
cat: /boot/grub/menu.lst: Permission denied
Read more how to harden GNU/Linux against local intrusions here.

No comments :

Post a Comment