Why should a Linux boot loader have password protection?
The following are the primary reasons for password protecting a Linux boot loader:
1. Preventing Access to Single User Mode – If an attacker can boot into single user mode, he becomes the root user.
2. Preventing Access to the GRUB Console – If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.
3. Preventing Access to Non-Secure Operating Systems – If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.
1. Configuring GRUB2 to Require a Password only for Modifying Entries
To require password authentication for modifying GRUB 2 entries, follow these steps:
1. Run the grub2-setpassword command as root:
# grub2-setpassword Enter password: Confirm password:
2. Enter and confirm the password. That’s all there is to it. The password hash will be stored in the /boot/grub2/user.cfg file in the encrypted format.
3. With this change, modifying a boot entry during booting requires you to specify the credentials.
2. Configuring GRUB 2 to Require a Password for Modifying and Booting Entries
To also require password for booting an entry, follow these steps after setting the password with grub2-setpassword:
1. Open the /boot/grub2/grub.cfg file.
2. Find the boot entry that you want to protect with password by searching for lines beginning with menuentry.
3. Delete the –unrestricted parameter from the menu entry block.
4. Save and close the file.