Red Hat SummitChapter 10. Protecting GRUB with a password
You can protect GRUB with a password in two ways:
- Password is required for modifying menu entries but not for booting existing menu entries.
- Password is required for modifying menu entries and for booting existing menu entries.
10.1. Setting password protection only for modifying menu entries
You can configure GRUB to support password authentication for modifying GRUB menu entries. This procedure creates a /boot/grub2/user.cfg file that provides the password in the hash format.
Setting a password using the grub2-setpassword command prevents menu entries from unauthorized modification but not from unauthorized booting.
Procedure
Issue the
grub2-setpasswordcommand as root:grub2-setpassword
# grub2-setpasswordCopy to Clipboard Copied! Enter the password for the user and press the Enter key to confirm the password:
Enter password: Confirm the password:
Enter password: Confirm the password:Copy to Clipboard Copied!
The root user is defined in the /boot/grub2/grub.cfg file with the password changes. Therefore, modifying a boot entry during booting requires the name and password of the root user.
10.2. Setting password protection for modifying and booting menu entries
You can configure GRUB to prevent menu entries from unauthorized modification and booting.
If you forget the GRUB password, you will not be able to boot the entries you have reconfigured.
Procedure
-
Open the Boot Loader Specification (
BLS) file for boot entry you want to modify from the/boot/loader/entries/directory. -
Find the line beginning with
grub_users. This parameter passes extra arguments tomenuentry. -
Set the
grub_usersattribute to the user name that is allowed to boot the entry besides the superusers, by default this user isroot.
Here is a sample configuration file:
+
title Red Hat Enterprise Linux (4.18.0-221.el8.x86_64) 8.3 (Ootpa) version 4.18.0-221.el8.x86_64 linux /vmlinuz-4.18.0-221.el8.x86_64 initrd /initramfs-4.18.0-221.el8.x86_64.img $tuned_initrd options $kernelopts $tuned_params id rhel-20200625210904-4.18.0-221.el8.x86_64 grub_users root grub_arg --unrestricted grub_class kernel
title Red Hat Enterprise Linux (4.18.0-221.el8.x86_64) 8.3
(Ootpa)
version 4.18.0-221.el8.x86_64
linux /vmlinuz-4.18.0-221.el8.x86_64
initrd /initramfs-4.18.0-221.el8.x86_64.img $tuned_initrd
options $kernelopts $tuned_params
id rhel-20200625210904-4.18.0-221.el8.x86_64
grub_users root
grub_arg --unrestricted
grub_class kernel-
Save and close the
BLSfile:
If you want to protect all the menu entries from booting, you can directly set the grub_users attribute. For example, if root is the user:
grub2-editenv - set grub_users="root"
# grub2-editenv - set grub_users="root"
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}