This page looks best with JavaScript enabled

Password GRUB2

 ·  🎃 kr0m

Grub2 allows us to configure very granular authentication, we can configure several users with their respective passwords and we can also give different permissions to each user.

The available permissions are:

  • Boot: Allows to boot the kernel image.
  • Edit: Allows to edit the kernel boot parameters.

We generate a valid password:

grub-mkpasswd-pbkdf2

We define the users, in this case kr0m will be the superuser and kr0m2 a regular user:

vi /etc/grub.d/35_auth

echo 'set superusers="kr0m"'
echo 'password_pbkdf2 kr0m grub.pbkdf2.sha512.10000.8A3C50AXXXXXXXXDD0A1F808F2C3B'
echo 'password_pbkdf2 kr0m2 grub.pbkdf2.sha512.10000.8A3C50AYYYYYYYYYDD0A1F808F2C3B'
chmod 755 /etc/grub.d/35_auth

We define the permissions for each user, we need to edit the CLASS parameter:

vi /etc/grub.d/10_linux

Only the superuser kr0m can edit/boot kernel images:

CLASS="--class gnu-linux --class gnu --class os --users '""'"

The user kr0m2 can boot but can only edit the superuser:

CLASS="--class gnu-linux --class gnu --class os --users '"kr0m2"'"

It is possible to boot without the need for a user/password but only the superuser can edit, this is the most common option since if we restart a server it will not be necessary to be physically present to enter the boot password:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

We regenerate the grub configuration:

grub-mkconfig -o /boot/grub/grub.cfg

If you liked the article, you can treat me to a RedBull here