By default, the Grub boot loader allows anyone with access to the computer at boot time to set the runlevel, or change the boot parameters, which can allow them to influence the init process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to runlevel 1, known as single user mode, gives the user root priveleges without the need for a password! Obviously, giving a non-administrator this much control can be dangerous, and it is wise to protect the boot loader with a secure password.
We will need to choose a password, encrypt with the grub programs hash utility(called md5crypt), and add the encrypted hash of your password to the grub configuration file, /etc/grub.confFirst, choose a suitable password.
{{Admon/warn|Do not forget it, or lose the GRUB password|If you lose the GRUB password you will not be able to change boot parameters when you boot your the system! . If you need to write it down, put it in a safe place, where no one will be able to tell what it is for. Open the grub program by typing the command: grub}}
# Choose a suitable password. # Open the grub program by typing the command: <code>grub</code># At the grub prompt, type in the command: md5crypt# When prompted for a password, carefully type in your password. The program will display the encrypted hash of your password. Carefully write down the encrypted has.# Type the command: <code>quit</code> to exit the grub program.# Open the grub configuration file, <code>/etc/grub.conf<code> for editing. (This file is actually linked to /boot/grub/grub.conf).# Carefully add the line: <code>password --md5 ''password-hash''</code> (note: ''password-hash'' is the hash you generated with md5crypt) Place this downline between the splashimage line and the title line. If there are other lines there, there is no need to remove them. Just insert your password line as a new line.# Make sure you have not made a mistake. What you type in must match exactly the output from the md5crypt command.# While you are editing the file you should also increase the timeout for grub to automatically boot the default OS. Edit the line <code>timeout=0</code> to <code>timeout=5</code> to give us more time to interrupt the process.# You should also ensure that the grub boot menu is not hidden. Add a hash sign (<code>#</code>) to the start of the line which reads: <code>hiddenmenu</code># Save the file and exit. Your Grub boot loader is now password protected.# Find the section of this article that explains how to change the runlevel at boot time, and read it. Reboot your system, trying to change to runlevel 1 from the boot prompt, and see if the password protection worked.# From now on, when you want to change boot parameters when you boot, you must type lowercase <code>p</code> at the boot prompt and enter the required password.
Type == Completing the command: quit to exit the grub program.Lab ==
Open Check off the grub configuration file, /etc/grub.conf , for editing. This file is actually linked following items before asking your instructor to /boot/grub/grub.conf.check your lab:
Carefully add the line * Task 1 - Install GNU/Linux Workstation using Fedora 10* Task 2 - Collect system information after installation.* Task 3 - Customize and configure boot time environment* Task 4 - Collect network information* Task 5 - Password protect Grub Bootloader
password --md5 password-hash (noteArrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion: password-hash is the hash you generated with md5crypt)
to * Grub is password protected.* Can login with student's "learn" account* Has all the mount points* Has the file between package count* Has edited the splashimage line default runlevel* Has the correct IP address and MAC address* Find out the title line. If there are other lines there, there is no need to remove them. Just insert your password line as a new line.default route (gateway)* IP of the DNS name server
It should look something like this: == Preparing for the Quizzes ==
...splashimage=(hd0,0)/boot/grub/splash.xpm.gzpassword --md5 $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0hiddenmenutitle Fedora... You can find a more complete sample of this file here. Make sure you have not made a mistake. What you type in must match exactly the output from the md5crypt command. While you are editing the file you should also increase the timeout for grub to automatically boot the default OS. Edit the line timeout=0 to timeout=5 to give us more time to interrupt the process. Save the file and exit. Your Grub boot loader is now password protected. Make sure the configuration file is owned by root, and set the permissions so only root can read and write. Find the section of this article that explains how to change the runlevel at boot time, and read it. Reboot your system, trying to change to runlevel 1 from the boot prompt, and see if the password protection worked. From now on, when you want to change boot parameters when you boot, you must type lowercase p at the boot prompt and enter the required password. Completing the Lab Check off the following items and sign your name before asking your instructor to check your lab:I have completed the following tasks in full: [ ] Task 1 - Install GNU/Linux Workstation using Fedora 10 [ ] Task 2 - Collect system information after installation. [ ] Task 3 - Customize and configure boot time environment [ ] Task 4 - Collect network information[ ] Task 5 - Password protect Grub Bootloader Student Signature: _____________________ Date: ________________Arrange evidence for each of these items on your screen, then ask your instructor each item: [ ] Grub is password protected. [ ] Can login with student's "learn" account [ ] Has all the mount points [ ] Has the package count [ ] Has edited the default runlevel [ ] Has the correct IP address and MAC address [ ] Find out the default route (gateway) [ ] IP of the DNS name server Instructor Signature: _____________________ Date: ________________ Preparing for the Quizzes # How many packages were installed? # How many files (correct to the nearest hundred) were installed? # How many mount points were used? # How many users were created automatically on your system (do not count your learn account)? # What is your learn account's UID and GID? # What is your learn account's home directory? # What is the home directory for the user "root"? # How do you determine the host name of your GNU/Linux workstation? # What command can display the NIC's MAC address? # Which file contains the default "runlevel" value for your GNU/Linux workstation?
