catalog Info Catalog up grub: Security next grub: Using digital signatures

grub: Authentication and authorisation

 
 18.1 Authentication and authorisation in GRUB
 =============================================
 
 By default, the boot loader interface is accessible to anyone with
 physical access to the console: anyone can select and edit any menu
 entry, and anyone can get direct access to a GRUB shell prompt.  For
 most systems, this is reasonable since anyone with direct physical
 access has a variety of other ways to gain full access, and requiring
 authentication at the boot loader level would only serve to make it
 difficult to recover broken systems.
 
    However, in some environments, such as kiosks, it may be appropriate
 to lock down the boot loader to require authentication before performing
 certain operations.
 
DONTPRINTYET     The 'password' (⇒password) and 'password_pbkdf2' (*noteDONTPRINTYET     The 'password' (⇒password) and 'password_pbkdf2' (⇒
 password_pbkdf2) commands can be used to define users, each of which
 has an associated password.  'password' sets the password in plain text,
 requiring 'grub.cfg' to be secure; 'password_pbkdf2' sets the password
 hashed using the Password-Based Key Derivation Function (RFC 2898),
 requiring the use of 'grub-mkpasswd-pbkdf2' (⇒Invoking
 grub-mkpasswd-pbkdf2) to generate password hashes.
 
    In order to enable authentication support, the 'superusers'
 environment variable must be set to a list of usernames, separated by
 any of spaces, commas, semicolons, pipes, or ampersands.  Superusers are
 permitted to use the GRUB command line, edit menu entries, and execute
 any menu entry.  If 'superusers' is set, then use of the command line
 and editing of menu entries are automatically restricted to superusers.
 Setting 'superusers' to empty string effectively disables both access to
 CLI and editing of menu entries.  Note: The environment variable needs
 to be exported to also affect the section defined by the 'submenu'
 command (⇒submenu).
 
    Other users may be allowed to execute specific menu entries by giving
 a list of usernames (as above) using the '--users' option to the
 'menuentry' command (⇒menuentry).  If the '--unrestricted' option
 is used for a menu entry, then that entry is unrestricted.  If the
 '--users' option is not used for a menu entry, then that only superusers
 are able to use it.
 
    Putting this together, a typical 'grub.cfg' fragment might look like
 this:
 
      set superusers="root"
      password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
      password user1 insecure
 
      menuentry "May be run by any user" --unrestricted {
      	set root=(hd0,1)
      	linux /vmlinuz
      }
 
      menuentry "Superusers only" --users "" {
      	set root=(hd0,1)
      	linux /vmlinuz single
      }
 
      menuentry "May be run by user1 or a superuser" --users user1 {
      	set root=(hd0,2)
      	chainloader +1
      }
 
    The 'grub-mkconfig' program does not yet have built-in support for
 generating configuration files with authentication.  You can use
 '/etc/grub.d/40_custom' to add simple superuser authentication, by
 adding 'set superusers=' and 'password' or 'password_pbkdf2' commands.
catalog Info Catalog up grub: Security next grub: Using digital signatures