Securing GRUB

Problem:

GRUB, the standard Linux bootloader, allows one to pass a number of options to init while booting. One such option is single, allowing the user to boot the system into single user mode for certain recovery tasks. Unfortunately, this allows anyone with physical access to the machine to obtain full root access.

Solution:

GRUB allows the user to create an MD5-hashed password, which must then be used to either boot the system or edit the boot configuration, thus preventing any unwanted access to root via GRUB.

HOWTO:

• From a terminal, run grub. At the grub> prompt, enter md5crypt, followed by your desired password. Copy the generated md5 hash.
• Edit /boot/grub/menu.lst (or /boot/grub/grub.conf) and add the following line somewhere above any kernel entries:

password --md5 $1$MgXJ6$N.qWN.9FuTR/sIiPemHXs1
lockalternative=true

This will require the user to enter the password which generated the specified hash in order to edit any of grub's menu entries.

Furthermore:

This is merely a first step towards physically securing a linux system. One might also set the hard drive to be the first boot device, set a password on the BIOS, and take steps towards securing the case and its contents from tampering.

Last updated in October 2007 by Nathan Gamber