Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I'm trying to prevent users from accessing the grub menu, but setting the timeout to 0 doesn't cut it because a user can hold down ESC during boot.
At the moment, it seems that my only option is to set a password for grub. But I was hopping that there is a better way where I can disable that feature completely.
You could also set the hidden attribute for the menu, but that is also bypassed by esc. I don't think you should disable menu access entirely because you may need to boot as single user if the machine locks up. Without the menu, you can't add the necessary option to the kernel options. So you will need a live or rescue disk instead.
protecting grub with a password is not an options because this system will be converted to a liveCD image and distributed to many users. If someone manages to break the password then there is a high possibility that all the users out there will be able to be able to bypass all the security by booting their image in single user mode.
I will not worry about the actual ISO image sense it will be encrypted and signed.
Right now I'm going to try to recompile grub after modifying the source code. I will make it in a way that as long as the system was able to boot, grub will not display messages nor accept any input. If booting fails, the menu will be displayed. Then I will protect the menu with a password.
Any other ideas before I start bashing my head against this?
Even if it takes a year ,I'm sure its less in months, to break the password, it is not worth the hassle that comes after that. The minute this system hits the internet, there will be people actively trying to find a workarounds (including our test department)
I assume you could set an impossible grub password by creating a hash that essentially didn't map to any real combination of characters. Like when you mod the hash by injecting random characters to make a user unable to login locally.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
