SDB:GRUB password
Version: Any Statements in this article are valid for any openSUSE version using classic GRUB, often referred to as GRUB1.
Subject
- How to set a password for the boot manager GRUB in order to block the interactive menu of GRUB.
- How to prevent booting of certain operating systems from the selection list.
Procedure
As the boot manager GRUB directly supports many file systems, the hard disk contents can be accessed during booting. For example, even files that Linux users without root permissions will not be able to access after the Linux system has started can be viewed at this stage (see SDB:The Boot Manager Grub)
Blocking the interactive functions only
With this option all operating systems can be booted, but boot options can't be changed without password.
Using YaST2 is the easiest way to set up a password query. Start the YaST2 Control Center and enter the following menu:
- System -->
- Bootloader configuration
- Modify current configuration
In this menu you can first determine where to install GRUB: in the Master Boot Record (MBR) of the first hard disk, on a floppy disk, in the boot sector of the boot partition or the root partition, or in another partition.
Press Next to proceed to the Globale Bootloader Properties dialog. Mark Use password for booting and enter the password twice.
Press Next to proceed to the configuration of the Sections table, which you can skip by pressing Next.
Select Save current configuration and press Finish in order to save the modifications to the hard disk. The execution of GRUB commands at the boot prompt is now protected. It will only be released after entering "p" and the password. However, all operating systems listed in the selection menu of the boot loader can still be booted by all users.
Locking only operating system entries
This is way to block one or more individual entries in a boot menu, forcing user to give a password before booting operating system behind that entry.
To do that you have to edit a file /boot/grub/menu.lst . Open this file in an ASCII editor of your choice (as root). The word title introduces the sections for booting the individual operating systems. Example:
title linux kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791 initrd (hd0,4)/initrd title windows root (hd0,0) makeactive chainloader +1 title floppy root (fd0) chainloader +1 title failsafe kernel (hd0,4)/vmlinuz.shipped root=/dev/hda7 ide=nodma apm=off acpi=off vga=normal nosmp maxcpus=0 3 initrd (hd0,4)/initrd.shipped
If you want to prevent a certain entry from being booted by unauthorized individuals, insert the word lock under the respective section. Example:
title linux kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791 initrd (hd0,4)/initrd lock
The changes will be adopted when the file is saved.
In this example, this Linux entry can only be booted if the password is entered. Following a reboot, if this entry is selected from the boot menu, the following message will appear:
Error 32: Must be authenticated
Press the Enter key to go to the menu in which you can enter the password by pressing p. The locked operating system entries can now be booted.
Inserting the password manually
If you do not want to use YaST2 to insert the password, proceed as follows: In order to encrypt the password for increased security, execute the command grub-md5-crypt in a shell (as root). You will be asked for the password. After the password is entered, it will be displayed in encrypted form:
linux:~ # grub-md5-crypt Password: $1$xmY1T/$wL6rbH2VC2L3ITFGiveLq.
Append this string to the global section of the file /boot/grub/menu.lst. The option that needs to be appended is password --md5. The section might look as follows:
gfxmenu (hd0,0)/message color white/green black/light-gray default 0 timeout 8 password --md5 $1$xmY1T/$wL6rbH2VC2L3ITFGiveLq.
The changes will be active when the file is saved, in other words on next boot user will have to use password.