Home / ubuntu / Questions / 31605
Accepted
Jamess
Asked: 2011-03-23 23:21:37 +0800 CST

How to secure grub recovery mode

  • 772

When I boot system in to recovery mode from GRUB menu, I can get in to all powerful root without entering any password, thus insecure.

How I can secure this and ensure that a password is asked every time I attempt to access root in recovery mode?

security

3 Answers

  1. Best Answer

    There is a post on Ubuntu forums about protecting entries by password, basically to make the recovery menuitems require you to login as superman with password 1234 you need to edit some very hairy config/script files:

    Add to /etc/grub.d/00_header

    cat << EOF
set superusers="superman"
password superman 1234
password bill 5678
EOF

    Change /etc/grub.d/10_linux

    From: 

    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

    To:

    if ${recovery} ; then
   printf "menuentry '${title}' --users superman ${CLASS} {\n" "${os}" "${version}"
else
   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
fi

    Perfecting protection is profoundly hard

    Other things you need to do is to password protect your bios, disable booting from anything else than primary hard drive, and encrypt your root partition and mount any other partition as noexec. This still leaves lots of vectors.

    • 10

  2. The only reliable way to protect the system from an attacker having physical access to the machine is full-disk encryption.

    • 2

  3. You can't protect your data if it's not encrypted, but you can protect root user. When anyone try to access your disk via recovery mode, she/he needs password.

    set root password

    sudo passwd root #set new password for user named root

    test root access

    su
    • 0