How to set grub 2 password protection

  1. Introduction to Grub 2 Basic Password Protection
    • This is basic password security. The username/password are unencrypted; anyone having physical access to the machine and more than an elementary knowledge of how Linux works will be able to access the configuration files and bypass this feature. Encrypted password protection is on the horizon and available in an experimental version of Grub 2 (see “The Future” section below).
    • Grub 2 can set password protection on specific menuentries and for specific users. For example, “John” can access Ubuntu but not the Windows recovery mode, which is only accessible by “Bill”, the superuser.
    • Automatic password protection has not yet been automated. Menuentries must be identified manually by editing the Grub 2 /etc/grub.d/ scripts such as 10_linux and 30_os-prober.
    • If password protection is enabled, even if for only one entry, and even if not for the superuser, the superuser name and password are required to gain access to the Grub 2 command line and menu-editing modes.
    • The username and/or password do not have to be the same as the Ubuntu logon name/password.
    Password protection in Grub 2 is still being developed and its behavior may change in future updates. In this guide, when the term “Grub 2″ is used it refers to the version of Grub 2 (grub-pc) available in the main Ubuntu repository. This is currently 1.97~beta4-1ubuntu4. Any time Grub 2 is updated, the user should note whether their password protection is still working as expected. These instructions are primarily for 1.97~beta. Advanced capabilities such as encrypted passwords which have been introduced in Grub 1.98 are still being worked on. Some of the advancements work well while others do not. The version of Grub found in Karmic is not expected to be updated to 1.97 or 1.98, although significant bugs will be fixed when possible.
  2. How It Works
    • To enable basic password protection, the user/administrator must add a superuser (and other users if desired) and password(s) to the /etc/grub.d/00_header file and manually designate which menuentries require a password in the /etc/grub.d/ files.
    • The Grub 2 menu can include both password-protected and non-protected entries.
    • Once the password feature is enabled the Grub 2 menu will appear as it does normally. When a selection requiring a password is required, the user will be prompted to enter the correct username and password. If entered correctly, the selected menuentry will continue to boot. If incorrect, the user will be returned to the Grub 2 menu.
    • If Grub 2 is set up to boot directly to a password-protected menuentry without displaying a menu, the username/password prompt will appear and booting will not occur until they are correctly entered.
    • Here is a sample menu with passwords enabled, provided by one of the Grub 2 developers:
      • user1 is the designated superuser. This user can boot any menuentry, edit items in the Grub 2 menu during boot, and use the Grub 2 command line.
      • Anyone can boot GNU/Linux
      • Only user2 and the superuser can boot Windows in this example.

      set superusers="user1"
      password user1 password1
      password user2 password2
      
      menuentry "GNU/Linux" {
      set root=(hd0,1)
      linux /vmlinuz
      }
      
      menuentry "Windows" --users user2 {
      set root=(hd0,2)
      chainloader +1
      }
  3. Warnings & Cautions
    • Errors in creating a password-protected Grub 2 menu may result in an unbootable system. To restore a system with broken passwords, access and edit the Grub 2 configuration files using the LiveCD or another OS.
    • If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing “e” or use the command line by pressing “c”.
    • Caution: If Grub 2 is set up to boot automatically to a password-protected menuentry the user has no option to back out of the password prompt to select another menuentry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem.
  4. Setting Up Password Protection
    1. Superuser & Password Designation (Required)
    2. A superuser must be designated. This superuser can access any menuentry, edit the menuentries in the Grub 2 menu by pressing “e”, or invoke the Grub 2 command line mode. Add the following the bottom of /etc/grub.d/00_header
      cat << EOF
      set superusers="user1"
      password user1 password1
      EOF
      Example:
      cat << EOF
      set superusers="superman"
      password superman 1234
      EOF
    3. Other Users (Optional)
    4. Other users can be identified and given a password. A designated user can access unprotected and his/her own menuentries. Add the following the bottom of /etc/grub.d/00_header
      cat << EOF
      set superusers="user1"
      password user1 password1
      password user2 password2
      EOF
      Example:
      cat << EOF
      set superusers="superman"
      password superman 1234
      password bill 5678
      EOF
    5. Designating Menuentries for Password Protection
      • Password protect all Linux kernels on the main partition: /etc/grub.d/10_linux (approximately line 59):
      • From:
        menuentry "$1" {
        To allow the superuser only:
        menuentry "$1" --users user1 {
        Example to permit access by only the superuser (superman):
        menuentry "$1" --users superman {
        Example to permit access by the superuser (superman) and bill:
        menuentry "$1" --users bill {
      • Password protect the memtest86+ option: /etc/grub.d/20_memtest[/B] (approximately line 27). Make the change as described in the /etc/grub.d/10_linux section above.
      • menuentry "Memory test (memtest86+)" --users superman {
        Additional memtest86+ entries (from other partitions) may also be located in this file. The line will start with “menuentry”. Change these lines as desired.
      • Password protect kernels/operating systems on other partitions: /etc/grub.d/30_os-prober. Make the change(s) as described in the /etc/grub.d/10_linux section above.
      • Linux entries on other partitions (approximately line 136):
        menuentry "${LLABEL} (on ${DEVICE})" --users superman {
        Other Operating Systems, including Windows (approximately line 100):
        menuentry "${LONGNAME} (on ${DEVICE})" --users superman {
        OSX entries (in the macosx) section, approximately line 156):
        menuentry "${LONGNAME} (on ${DEVICE})" --users superman {
      Once the superuser/other users and their password(s) are established, the entries to be protected must be identified. Currently Grub 2 adds no password protection to any entries upon establishment of a superuser and password in /etc/grub.d/00_header. (Note: This may change. See “The Future” section below.) Each menuentry must be identified and modified. Scripts can be used to tailor entries for specific menuentries. See the “Scripts” section for examples. The remainder of this section will explain how to change the main script files in /etc/grub.d/ to set up password protection for entire classes of menuentries (Linux on the main partition, OSs on other partitions, memtest86+, etc). Remember that editing the /boot/grub/grub.cfg file directly is discouraged. For protecting specific menuentries, another option is to add entries to the /etc/grub.d/40_custom file and disable the applicable script file in the same folder. For example, copy the Windows entries from /boot/grub/grub.cfg to 40_custom, add “–users user1″ to the desired entry (such as the Windows recovery partition) and then remove the executable bit from /etc/grub.d/30_os-prober. Save the files, run “sudo update-grub”, and reboot.
    There are three steps to enabling Grub 2 password protection. The user must set up the authorized users, designate the password(s), and identify the password-protected menuentries in the /etc/grub.d/ scripts.
  5. Protecting All Entries
    • The way Grub 2 assigns password protection may change. Currently the default is for menuentries to be unlocked. The developers are considering making the passwords mandatory for all entries once a superuser is designated. The superuser would then be able to unlock entries. If this feature is incorporated in the Ubuntu version of Grub 2 I will update these instructions.
    • The first two ccommands make backups of the files to be modified.
    • filename(s) should be replaced by the specific script file names you wish to change. These files are located in /etc/grub.d/ and include 10_linux, 20_memtest86+, and 30_os-prober. You can include one or more in the commands.
    Grub 2 password protection is still evolving. Currently password protection must be assigned to each menuentry. Protecting the entire menu from editing can be accomplished by adding the superuser and password without designating a specific menuentry. For now, there is no automatic method in Grub 2 to password-protect every menu item. At some point it is expected that this feature will be incorporated in grub-mkconfig. For now this can be accomplished by running the following command(s). Before rebooting make sure you have added the “superuser” and password to etc/grub.d/00_header and inspect /boot/grub/grub.cfg to ensure you achieved the desired results. Notes:
    sudo mkdir /etc/grub.d.backup
    sudo cp /etc/grub.d/* /etc/grub.d.backup
    sudo sed -i -e '/^menuentry /s/ {/ --users user1 {/' filename(s)
    Example:
    sudo sed -i -e '/^menuentry /s/ {/ --users superman {/' /etc/grub.d/10_linux  /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom
    To undo the previous command, run:
    sudo sed -i -e '/^menuentry /s/ --users user1 {/ {/' filename(s)
    Example:
    sudo sed -i -e '/^menuentry /s/ --users superman[/B] {/ {/' /etc/grub.d/10_linux  /etc/grub.d/20_memtest86+ /etc/grub.d/30_os-prober /etc/grub.d/40_custom
    Save the files, run “sudo update-grub”, and reboot. At the Grub 2 menu, you will be presented with the normal menu. When you make a selection, a prompt will ask for the username and password.
  6. Examples
    1. Determine the Windows Recovery partition (sda1, sda2, etc).
    2. Add the desired username and password as described in Section 4A and 4B to /etc/grub.d/00_header.
    3. Open /etc/grub.d/30_os-prober for editing:
    4. cd /etc/grub.d/
      sudo cp 30_os-prober 30_os-prober.bak # Make a backup copy
      sudo chmod -x 30_os-prober.bak        # Remove executable bit
      gksu gedit 30_os-prober &
      Change the following (approximately line 100) From:
      cat << EOF
      menuentry "${LONGNAME} (on ${DEVICE})" {
      EOF
      To:
      if [ ${DEVICE} = "/dev/sdXY" ]; then
      cat << EOF
      menuentry "${LONGNAME} (on ${DEVICE})" --users user1 {
      EOF
      else
      cat << EOF
      menuentry "${LONGNAME} (on ${DEVICE})" {
      EOF
      fi
      Example setting protection on sda2 for user superman:
      if [ ${DEVICE} = "/dev/sda2" ]; then
      cat << EOF
      menuentry "${LONGNAME} (on ${DEVICE})" --users superman {
      EOF
      else
      cat << EOF
      menuentry "${LONGNAME} (on ${DEVICE})" {
      EOF
      fi
    5. Save the file, then run:
    6. sudo update-grub
    Password Protect the Windows Recovery Partition Note: See the Grub 2 Title Tweaks thread if you want to remove the Windows Recovery option from the menu entirely. You can use the same concept on other menuentries. Rather than using the partition designation {DEVICE}, you could use other unique identifying variables, such as . The title variable depends on the operating system. Examples include {LONGNAME} or {LLABEL}.
  7. Password Encryption
    • Encrypted password protection using PBKDF2 is available but for me still a bit buggy in Lucid (Grub 1.9. If you are going to experiment with encrypted passwords, make sure you have at least one good non-password protected menuentry to boot or you may not be able to log on if you encounter problems. To generate an encrypted password:
    • grub-mkpasswd_pbkdf2
      The format for an encrypted password entry in /etc/grub.d/00_header would look similar to:
      set superusers="drs305"
      password_pbkdf2 drs305 
    • Note: I have been able to get the password function to work in Grub 1.98-20100128 only by using the console mode. With the default gfxmenu mode I have been experiencing hang-ups at the Grub 2 menu. I recently filed this bug report.
    • To enable the console mode, use this line in /etc/default/grub: GRUB_TERMINAL=console

3 comments:

  1. Dude, do you know how to run an antivirus using a live cd or usb on a windows operating system?

    ReplyDelete
  2. For Grub2

    grub-mkpasswd-pbkdf2

    Type your password.

    Confirm your password.

    Goto: /etc/grub.d and type gedit 00_header

    At the end of the file on the last line that says:

    fi

    Do a carriage return and input.

    cat << EOF
    set superusers="YOURUSERNAME"
    password_pbkdf2 YOURUSERNAME
    EOF

    Save file and reboot.. Enjoy new password protected Grub2 with minimum of fuss and no having to do funky stuff like enable terminal.

    ReplyDelete
  3. It cut off this bit on line =
    password_pbkdf2 YOURUSERNAME PASTE YOUR PASSWORD LINE.

    ReplyDelete