It may be required to password-protect editing kernel cmdline but keep the OS able to boot without a password.
Adding a variable GRUB_PASSWORD_PROTECT_ONLY_EDITING which can be set in /etc/default/grub as "GRUB_PASSWORD_PROTECT_ONLY_EDITING=true" to make Grub not ask password for just booting entries without editing them. Credits go to http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html --- util/grub-mkconfig.in | 3 ++- util/grub.d/10_linux.in | 11 ++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index 32d854b02..0d21e3652 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -238,7 +238,8 @@ export GRUB_DEFAULT \ GRUB_ENABLE_CRYPTODISK \ GRUB_BADRAM \ GRUB_OS_PROBER_SKIP_LIST \ - GRUB_DISABLE_SUBMENU + GRUB_DISABLE_SUBMENU \ + GRUB_PASSWORD_PROTECT_ONLY_EDITING if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in index b5b6ebc08..1e61c0eba 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -28,6 +28,11 @@ export TEXTDOMAINDIR="@localedir@" CLASS="--class gnu-linux --class gnu --class os" +if [ "x${GRUB_PASSWORD_PROTECT_ONLY_EDITING}" = "xtrue" ] + then unrestricted="--unrestricted " + else unrestricted=" " +fi + if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then OS="$(sed 's, release .*$,,g' /etc/system-release)" else @@ -102,9 +107,9 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${unrestricted}${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${unrestricted}${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab @@ -285,7 +290,7 @@ while [ "x$list" != "x" ] ; do boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" fi # TRANSLATORS: %s is replaced with an OS name - echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {" + echo "submenu ${unrestricted}'$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {" is_top_level=false fi -- 2.25.1
