Grub2 allows us to configure very granular authentication, we can configure several users with their respective passwords and we can also give different permissions to each user.
The available permissions are:
- Boot: Allows to boot the kernel image.
- Edit: Allows to edit the kernel boot parameters.
We generate a valid password:
We define the users, in this case kr0m will be the superuser and kr0m2 a regular user:
echo 'set superusers="kr0m"'
echo 'password_pbkdf2 kr0m grub.pbkdf2.sha512.10000.8A3C50AXXXXXXXXDD0A1F808F2C3B'
echo 'password_pbkdf2 kr0m2 grub.pbkdf2.sha512.10000.8A3C50AYYYYYYYYYDD0A1F808F2C3B'
We define the permissions for each user, we need to edit the CLASS parameter:
Only the superuser kr0m can edit/boot kernel images:
CLASS="--class gnu-linux --class gnu --class os --users '""'"
The user kr0m2 can boot but can only edit the superuser:
CLASS="--class gnu-linux --class gnu --class os --users '"kr0m2"'"
It is possible to boot without the need for a user/password but only the superuser can edit, this is the most common option since if we restart a server it will not be necessary to be physically present to enter the boot password:
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
We regenerate the grub configuration: