It's right here: https://www.gnu.org/software/grub/manual/grub.html#Security
Set a superuser that can't actually be used and use --unrestricted on the
entries.
How to set up an "unauthenticatable" superuser is my question.
Maybe setting an invalid password hash with password_pbkdf2 or just not setting
the user's password will suffice.
On May 29, 2015 10:28:17 PM GMT+01:00, "Boyce, Kevin P. (AS)"
<[email protected]> wrote:
>All,
>
>I am hoping someone can help me with a grub2 configuration question. I
>
>would like to be able to secure grub menu entries from being modified.
>I do not want to have to enter a password to boot the system (which
>doesn't appear to be the current behavior of grub2 when set
>superusers="root" directive is used).
>I do not want to have to create users and associated passwords (null
>password is OK).
>
>I would like everyone to be able to select either one of these two boot
>
>entries without the need for a password, but i do not want them to be
>able to enter command mode or edit mode in which they could boot single
>
>user mode (my Rescue enviroment is being customized for recovery
>purposes).
>
>My bootloader and configuration will be permanently installed in a
>read-only device like ROM and never changed. I use the configfile
>directive to point to the real bootloader configuration on a different
>device I want to use.
>
>Here is my current config file, documentation on grub2 security seems a
>
>little lacking. I recall being able to achieve this behavior by using
>the lock directive in legacy-grub.
>Any help would be appreciated.
>
>Thanks,
>Kevin
>
># Load GPT Partition Support
>insmod part_gpt
>
># Load XFS File System Support
>insmod xfs
>
># Load EXT File System Support
>insmod ext2
>
># Set a timeout before we pick the default
>set timeout=7
>
># Set the default boot entry
>set default="0"
>set fallback="1"
>
># Don't want any accounts that can bypass either one of these two
>entries
>set superusers=""
>
># Default boot entry redirecting to config file on RAID
># Secure without granting users permission to modify
>menuentry "Redirect Boot to RAID Device" --users "" {
> search --no-floppy --set=root --label RAID
> configfile /.firmware/boot.cfg
>}
>
># Create an entry for loading troubleshooting environment
># Secure without granting users permission to modify this entry
>menuentry "Rescue" --users "" {
> search --no-floppy --set=root --label RESCUE
> linux /vmlinuz rescue
> initrd /initrd.img
>}
>
>_______________________________________________
>Help-grub mailing list
>[email protected]
>https://lists.gnu.org/mailman/listinfo/help-grub
--
Typed with a virtual keyboard. Please excuse any blunders._______________________________________________
Help-grub mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-grub
