Search

Chapter 10. Protecting GRUB with a password

download PDF

You can protect GRUB with a password in two ways:

  • Password is required for modifying menu entries but not for booting existing menu entries.
  • Password is required for modifying menu entries as well as for booting existing menu entries.

10.1. Setting password protection only for modifying menu entries

You can configure GRUB to support password authentication for modifying GRUB menu entries. This procedure creates a /boot/grub2/user.cfg file that contains the password in the hash format.

Important

Setting a password using the grub2-setpassword command prevents menu entries from unauthorized modification but not from unauthorized booting.

Procedure

  1. Issue the grub2-setpassword command as root.

    # grub2-setpassword
  2. Enter the password for the user and press the Enter key to confirm the password.

    Enter password:
    Confirm the password:
Note

The root user is defined in the /boot/grub2/grub.cfg file with the password changes. Therefore, modifying a boot entry during booting requires the root user name and password.

10.2. Setting password protection for modifying and booting menu entries

You can configure GRUB to prevent menu entries from unauthorized modification as well as from unauthorized booting.

Warning

If you forget the GRUB password, you will not be able to boot the entries you have reconfigured.

Procedure

  1. Open the Boot Loader Specification (BLS) file for boot entry you want to modify from the /boot/loader/entries/ directory.
  2. Find the line beginning with grub_users. This parameter passes extra arguments to menuentry.
  3. Set the grub_users attribute to the user name that is allowed to boot the entry besides the superusers, by default this user is root. Here is a sample configuration file:

    title Red Hat Enterprise Linux (4.18.0-221.el8.x86_64) 8.3
    (Ootpa)
    version 4.18.0-221.el8.x86_64
    linux /vmlinuz-4.18.0-221.el8.x86_64
    initrd /initramfs-4.18.0-221.el8.x86_64.img $tuned_initrd
    options $kernelopts $tuned_params
    id rhel-20200625210904-4.18.0-221.el8.x86_64
    grub_users root
    grub_arg --unrestricted
    grub_class kernel
  4. Save and close the BLS file.
Note

If you want to protect all the menu entries from booting, you can directly set the grub_users attribute. For example, if root is the user:

# grub2-editenv - set grub_users="root"
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.