Boot Loader Passwords
The primary reasons for password protecting a Linux boot loader are as follows:
- Preventing Access to Single User Mode - If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
- Preventing Access to the GRUB Console - If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the
catcommand. - Preventing Access to Insecure Operating Systems - If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.
Community Enterprise Linux ships with the GRUB boot loader on the x86 platform. For a detailed look at GRUB, refer to the CentOS Installation Guide.
Password Protecting GRUB
You can configure GRUB to address the first two issues listed in "Boot Loader Passwords" by adding a password directive to its configuration file. To do this, first choose a strong password, open a shell, log in as root, and then type the following command:
grub-md5-cryptWhen prompted, type the GRUB password and press Enter. This returns an MD5 hash of the password.
Next, edit the GRUB configuration file
/boot/grub/grub.conf. Open the file and below thetimeoutline in the main section of the document, add the following line:password --md5<password-hash>Replace
<password-hash>with the value returned by/sbin/grub-md5-crypt[15].The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing p followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the
/boot/grub/grub.conffile must be edited.Look for the
titleline of the operating system that you want to secure, and add a line with thelockdirective immediately beneath it.For a DOS system, the stanza should begin similar to the following:
title DOS lock
A
passwordline must be present in the main section of the/boot/grub/grub.conffile for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.To create a different password for a particular kernel or operating system, add a
lockline to the stanza, followed by a password line.Each stanza protected with a unique password should begin with lines similar to the following example:
title DOS lock password --md5
<password-hash>