I just read that in certain situations you should also protect access to your GRUB2 menu by setting a password and may be refining acces by adding --unrestricted
or --users
as arguments to menuentries und submenus.
I read the corresponding pages in the Ubuntu Community Documentation and the Arch Wiki. So, I created /etc/grub.d/01_security
, stored usernames and passwords in there, made the file executable and ran update-grub
. This is working as intended, every action in the menu prompts for username and password, but I also want to modify the automatically generated entries to either restrict them to certain users (via --users
) or make them available for everyone, but not editable by everyone (via --unrestricted
).
I was able to find the proper lines in 10_linux
and edit them accordingly, however I'd love to see an easier solution. Perhaps an option like GRUB_DISABLE_RECOVERY="true"
or GRUB_DISABLE_OS_PROBER=true
in /etc/default/grub
for easy (re)configuration (for linux and os-prober generated entries).
Here's a diff from my 13.10 installation:
$ diff /etc/grub.d/10_linux /etc/grub.d/10_linux_bak
123c123
< echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --unrestriced \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^$
---
> echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_inde$
125c125
< echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_$
---
> echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
323c323
< echo "submenu --unrestricted '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_$
---
> echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
tl;dr: I'd love the see a simple solution for GRUB2 entries that cannot be modified without a password or are limited to certain users. (Yes, GRUB_DISABLE_RECOVERY="true"
is active.)
Okay I found that variables in
/etc/default/grub
are read and exported bygrub-mkconfig
in/usr/sbin/
. The following patch is what I had in mind and hopefully complies with quality requirements and coding standards for the files modified. Patch for30_os-prober
should be similar and hopefully follows tomorrow.As explained above the variables should be defined in
/etc/default/grub
like soGRUB_PWRESTRICTION_LINUX="--users user1"
or soGRUB_PWRESTRICTION_LINUX="--unrestricted"
.I'm looking forward to your feedback.