LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Disable grub boot loader interface (https://www.linuxquestions.org/questions/linux-security-4/disable-grub-boot-loader-interface-818532/)

shakazzolo 07-07-2010 11:39 AM
Disable grub boot loader interface
 
Hi,
I'm trying to prevent users from accessing the grub menu, but setting the timeout to 0 doesn't cut it because a user can hold down ESC during boot.

At the moment, it seems that my only option is to set a password for grub. But I was hopping that there is a better way where I can disable that feature completely.


Thanks!

abefroman 07-07-2010 11:50 AM
Don't think so, you can have it use LILO, but thats probably not what you want.

Your best bet might be to lock the server up in a cage or cabinet if you don't want people to have access to it.

smoker 07-07-2010 11:52 AM
You could also set the hidden attribute for the menu, but that is also bypassed by esc. I don't think you should disable menu access entirely because you may need to boot as single user if the machine locks up. Without the menu, you can't add the necessary option to the kernel options. So you will need a live or rescue disk instead.

shakazzolo 07-08-2010 11:30 AM
What about recompiling grub and replacing some binary files? Can anyone help me with that?

btw, I'm using grub not grub2

abefroman 07-08-2010 11:32 AM
Quote:
Originally Posted by shakazzolo (Post 4027458)
What about recompiling grub and replacing some binary files? Can anyone help me with that?

btw, I'm using grub not grub2
Well there is probably a way to do it, but you really wouldn't want to.

idlehands 07-08-2010 12:07 PM
You can password protect grub

shakazzolo 07-08-2010 02:21 PM
protecting grub with a password is not an options because this system will be converted to a liveCD image and distributed to many users. If someone manages to break the password then there is a high possibility that all the users out there will be able to be able to bypass all the security by booting their image in single user mode.

I will not worry about the actual ISO image sense it will be encrypted and signed.


Right now I'm going to try to recompile grub after modifying the source code. I will make it in a way that as long as the system was able to boot, grub will not display messages nor accept any input. If booting fails, the menu will be displayed. Then I will protect the menu with a password.

Any other ideas before I start bashing my head against this?

John VV 07-08-2010 02:54 PM
a VERY strong password with alt characters
http://www.combobulate.com/node/25
http://www.irongeek.com/alt-numpad-a...and-chart.html

do you know just how long rainbow tables will take with that.

shakazzolo 07-09-2010 07:01 AM
Even if it takes a year ,I'm sure its less in months, to break the password, it is not worth the hassle that comes after that. The minute this system hits the internet, there will be people actively trying to find a workarounds (including our test department)

I'll post my patch here when I'm done... if ever

idlehands 07-10-2010 12:57 PM
I assume you could set an impossible grub password by creating a hash that essentially didn't map to any real combination of characters. Like when you mod the hash by injecting random characters to make a user unable to login locally.

shakazzolo 07-11-2010 07:05 PM
Wow man! Why didn't I think of that! Thanks I think this will work really well for me

Thanks1

aus9 07-17-2010 07:09 PM
John

Thanks for links


All times are GMT -5. The time now is 04:57 PM.