By default, the Grub boot loader allows anyone with access to the computer at boot time to set the runlevel, or change the boot parameters, which can allow them to influence the init process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to runlevel 1, known as single user mode, gives the user root priveleges without the need for a password! Obviously, giving a non-administrator this much control can be dangerous, and it is wise to protect the boot loader with a secure password.
We will need to choose a password, encrypt with the grub programs hash utility(called md5crypt, and add the encrypted hash of your password to the grub configuration file, /etc/grub.conf
First, choose a suitable password.
forget it, or you will not be able to change boot parameters when you boot your system ! If you need to write it down, put it in a safe place, where no one will be able to tell what it is for. Open the grub program by typing the command: grub
At the grub prompt, type in the command: md5cryptWhen prompted for a password, carefully type in your password. The program will display the encrypted hash of your password. Carefully write this
Type the command: quit to exit the grub program.
Open the grub configuration file, /etc/grub.conf , for editing. This file is actually linked to /boot/grub/grub.conf.
Carefully add the line
password --md5 password-hash (note: password-hash is the hash you generated with md5crypt)
to the file between the splashimage line and the title line. If there are other lines there, there is no need to remove them. Just insert your password line as a new line.
It should look something like this:
... splashimage=(hd0,0)/boot/grub/splash.xpm.gz password --md5 $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0 hiddenmenu title Fedora ... You can find a more complete sample of this file here. Make sure you have not made a mistake. What you type in must match exactly the output from the md5crypt command. While you are editing the file you should also increase the timeout for grub to automatically boot the default OS. Edit the line timeout=0 to timeout=5 to give us more time to interrupt the process. Save the file and exit. Your Grub boot loader is now password protected. Make sure the configuration file is owned by root, and set the permissions so only root can read and write. Find the section of this article that explains how to change the runlevel at boot time, and read it. Reboot your system, trying to change to runlevel 1 from the boot prompt, and see if the password protection worked. From now on, when you want to change boot parameters when you boot, you must type lowercase p at the boot prompt and enter the required password. Completing the Lab Check off the following items and sign your name before asking your instructor to check your lab: I have completed the following tasks in full: [ ] Task 1 - Install GNU/Linux Workstation using Fedora 10 [ ] Task 2 - Collect system information after installation. [ ] Task 3 - Customize and configure boot time environment [ ] Task 4 - Collect network information [ ] Task 5 - Password protect Grub Bootloader Student Signature: _____________________ Date: ________________ Arrange evidence for each of these items on your screen, then ask your instructor each item: [ ] Grub is password protected. [ ] Can login with student's "learn" account [ ] Has all the mount points [ ] Has the package count [ ] Has edited the default runlevel [ ] Has the correct IP address and MAC address [ ] Find out the default route (gateway) [ ] IP of the DNS name server Instructor Signature: _____________________ Date: ________________ Preparing for the Quizzes How many packages were installed? How many files (correct to the nearest hundred) were installed? How many mount points were used? How many users were created automatically on your system (do not count your learn account)? What is your learn account's UID and GID? What is your learn account's home directory? What is the home directory for the user "root"? How do you determine the host name of your GNU/Linux workstation? What command can display the NIC's MAC address? Which file contains the default "runlevel" value for your GNU/Linux workstation?