How Important is it to Password Protect Grub?
 

I have grub 2 with dual boot (Ubuntu + Win7). What is worst damage someone can do to me by taking advantage of grub not being password protected? (Assuming I have no problem to let anyone attempt to login on either Ubuntu or Win7)

Thanks!
Ofer

IMO, if you trust the people who have physical access to this machine, then there's no point in using a grub password, since it is set to avoid anyone who doesn't know it to boot any installed OS. And even if you had a grub password set, anyone with physical access to the machine could easily use a live CD to bypass grub and access the files in the system.

I think it is almost useless to password protect it unless this is in a kiosk locked enclosure.

Thanks guys.


The BIOS is password protected, and I assumed the enemy does not have time to actually take apart my computer.


The question is, can any damage be done through the "Grub Console"?

does password protecting the bios prevent booting from live medium?

generally, yes. But not on all machines.
Mine for instance where I set no USB devices in the boot list, if I stick a USB bootable in and reboot, it will boot off of it. Yes, I saved settings in the BIOS on the way out.
GIGABYTE GA-Z77-DS3H LGA 1155 Intel Z7 motherboard with American Megatrends BIOS, version unknown atm.

There is no real security if one has access to a system. Even too high of permissions could allow one to change bios settings from an OS. This is the thought behind the entire new bios scheme, to protect against this sort of attack.

One of the best tools I have seen is the hardware encryption that some laptops have. Unfortunately they have ways around a few of them.

Thanks
 

thankks for replies on the BIOS password question:newbie:

Greetings Habitual
Just curious, have you also reordered the boot order so it boots off the HDD first ? if needed I can still hit f11 to get to a boot menu (MSI mobo) for usb or whatnot, but only after I type in the password. YMMV

weirdwolf:
I have only removed items from the boot list in BIOS
SATA0 (HD) and
SATA1(DVD device) in that order.

Also on this board, if I press F12 ('boot from') I can 'see' all the USB and SATA devices in the 'boot list'. This includes the printer.

My Lenovo BIOS has a similar issue with the 3T WD storage device (not a bootable device).
If I plug it in during pre-POST, the machine hangs.

WD Support (Level 1?) said to "change the boot order in the BIOS" to which I replied "It's NOT marked bootable and isn't even in the 'boot list'."

He gave me a url for a firmware upgrade which made no difference.

I have NOT had that issue on the GIGABYTE GA-Z77-DS3H LGA 1155 Intel Z7motherboard.

Have a Great Day!

Edit: I too use a PowerOnPassword for just such a reason.
There is no Security without physical security.
But now-a-days, even a punk BIOS password means nothing if they want the data.
They'll just clone the target and boot up elsewhere and mount it.

Passwords makes things difficult, not impossible.

Yep, a p.o.p. just keeps the mildly curious and the lazy out. If you were to be worried then some sort of full disk encryption may be a consideration thus negating any cloning or whatnot.