On second thought...
"If ‘superusers’ is set, then use of the command line is automatically
restricted to superusers."
Setting an empty superusers list and adding --unresticted to your entries is
probably what you want.
On May 30, 2015 1:05:28 AM GMT+01:00, "Joāo Ricardo Sares Teles de Matos"
<[email protected]> wrote:
>It's right here:
>https://www.gnu.org/software/grub/manual/grub.html#Security
>Set a superuser that can't actually be used and use --unrestricted on
>the entries.
>
>How to set up an "unauthenticatable" superuser is my question.
>Maybe setting an invalid password hash with password_pbkdf2 or just not
>setting the user's password will suffice.
>
>On May 29, 2015 10:28:17 PM GMT+01:00, "Boyce, Kevin P. (AS)"
><[email protected]> wrote:
>>All,
>>
>>I am hoping someone can help me with a grub2 configuration question.
>I
>>
>>would like to be able to secure grub menu entries from being modified.
>>I do not want to have to enter a password to boot the system (which
>>doesn't appear to be the current behavior of grub2 when set
>>superusers="root" directive is used).
>>I do not want to have to create users and associated passwords (null
>>password is OK).
>>
>>I would like everyone to be able to select either one of these two
>boot
>>
>>entries without the need for a password, but i do not want them to be
>>able to enter command mode or edit mode in which they could boot
>single
>>
>>user mode (my Rescue enviroment is being customized for recovery
>>purposes).
>>
>>My bootloader and configuration will be permanently installed in a
>>read-only device like ROM and never changed. I use the configfile
>>directive to point to the real bootloader configuration on a different
>
>>device I want to use.
>>
>>Here is my current config file, documentation on grub2 security seems
>a
>>
>>little lacking. I recall being able to achieve this behavior by using
>
>>the lock directive in legacy-grub.
>>Any help would be appreciated.
>>
>>Thanks,
>>Kevin
>>
>># Load GPT Partition Support
>>insmod part_gpt
>>
>># Load XFS File System Support
>>insmod xfs
>>
>># Load EXT File System Support
>>insmod ext2
>>
>># Set a timeout before we pick the default
>>set timeout=7
>>
>># Set the default boot entry
>>set default="0"
>>set fallback="1"
>>
>># Don't want any accounts that can bypass either one of these two
>>entries
>>set superusers=""
>>
>># Default boot entry redirecting to config file on RAID
>># Secure without granting users permission to modify
>>menuentry "Redirect Boot to RAID Device" --users "" {
>> search --no-floppy --set=root --label RAID
>> configfile /.firmware/boot.cfg
>>}
>>
>># Create an entry for loading troubleshooting environment
>># Secure without granting users permission to modify this entry
>>menuentry "Rescue" --users "" {
>> search --no-floppy --set=root --label RESCUE
>> linux /vmlinuz rescue
>> initrd /initrd.img
>>}
>>
>>_______________________________________________
>>Help-grub mailing list
>>[email protected]
>>https://lists.gnu.org/mailman/listinfo/help-grub
>
>--
>Typed with a virtual keyboard. Please excuse any blunders.
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Help-grub mailing list
>[email protected]
>https://lists.gnu.org/mailman/listinfo/help-grub
--
Typed with a virtual keyboard. Please excuse any blunders._______________________________________________
Help-grub mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-grub
