grub single mode hack

dale_chip · 07-14-2008, 06:19 AM

i recently came to know that grub can be hacked to boot into as root by editing the command line.
i searched web to prevent such hacks and they all suggested to add a md5 password.
but the problem with that is that it asks for this password even when i try to boot.
i am looking out for a solution that only prevents people from hacking into the root account. i am using a shared computer so i must allow them to boot into with their respective accounts but not be able to hack into as root.

makuyl · 07-14-2008, 01:23 PM

Perhaps use lock and see if the password is still asked at normal booting.
http://www.gnu.org/software/grub/man.../Security.html

aus9 · 07-14-2008, 07:55 PM

What do you mean by shared....a stand alone pc that different ppl sit at to login or do you mean that there are different network computers that share one computer for access?

lock and passwd for standalone and grub is irrelevant for the others but ssh may need hardening. I do not have such networks but Secure FTP over ssh is one way......running logins with chroot jails is another. There is a good post on that if you need it.

A determined local user can of course bypass the grub lock and passwd which is why I do not have it in my howto. But you have to have a certain level of trust for local users otherwise why allow them access to the computer in the first place?

aus9 · 07-14-2008, 09:51 PM

I suppose I should tell you the strongest way of doing it?

boot up the system
open a shell and get root powers (su or sudo whatever)

Code:

su
grub
md5crypt
(enter your password)
(do not quit until you have copy and pasted the result which is an encrypted password...Konsole uses can use Edit Copy

Also use root powers to edit /boot/grub/menu.lst

Create a blank line at top of file to insert new line
password --md5 (insert encrypted string here)

For each TITLE in menu....immediately below title create a new line called
lock

eg

--------
password --md5 $1$sL3Cb$44Iyndws/jLfgi6JYYHeo

blah blah

title
lock
root (hd0,0)
kernel /blah blah
initrd /blah blah

(2) if you need to edit menu at boot...just after mbr jumps to grub menu....press the P keyboard letter to enter password.

(3) To test that you can get in....first copy and paste your normal entry without a lock

so you have

title
lock
blah blah

title
blah blah

remove it after testing

cheerio

dale_chip · 07-15-2008, 07:15 AM

thanx to all

@aus9 : the problem still persists
the grub does not allows to boot unless i press p and enter the password

pinniped · 07-15-2008, 08:01 AM

Read carefully through the Grub manual - you can make it demand a password only before entering the command-line interactive mode; this allows you to select what to boot, but you can't change any boot parameters without the password.

Other tips:
http://wiki.linuxquestions.org/wiki/Securing_GRUB

On the other hand - what's the point? Unless you physically lock up the box and prevent anyone from booting from USB/external storage/CD, putting a password on Grub doesn't really achieve anything.