Thread: BuYS - Protecting the Grub

@fb1:
Actually, booting to root shell/Recovery boot is actually, booting to a single-user mode/recovery mode, or maintenance mode(AIX). This is actually done by passing argument(single) to the kernel at boot time. This non specific of distribution. Its all about boot-loader (in our case GRUB).

As the saying goes, Boot time is a period of special vulnerability.

Lets see what happen when a system boot from Linux perspective ( People who know may ignore this post ).

When a computer is switched onn, the first thing happens is, it executes boot code that is stored in ROM. This berry boot code actually looks how to load and start the almighty KERNEL. Then, KERNEL probes the system's hardware and loads the first process that is init. However, filesystems are checked and mounted and also, services are started usually by the shell scripts processed by init so do they called as init scripts.

Solely boot loader is responsible for loading KERNEL, GRUB Legacy reads it configuration from /boot/grub/menu.lst or /boot/grub/grub.conf depends on distro in use, like, fedora uses, grub.conf where as Ubuntu/SUSE/Solaris uses menu.lst. The thing is both the files are similar only with slight difference.

Actually at boot time, KERNEL OPTIONS are very critical, like init=/bin/bash [Similar to single user mode, it just starts bash shell.

For example:
In RedHat or fedora, at Grub menu type letter "a", you will switch to grub append mode.

Code:

grub append> ro root=/dev/abc/xyz efg quiet

just append word "single" at the end.

Code:

grub append> ro root=/dev/abc/xyz efg quiet single

You will get a root shell.

On Solaris, at boot PROM just type, "boot -s" makes you boot at single-user mode.
On HP-UX, at prompt, type "boot pri isl" then, "hpux -iS /stand/vmunix" makes you boot at single-user mode.
On AIX, Just select maintenance mode from the boot menu, which makes you at root shell.

One thing must be noted is, it isn't persistent, I mean, when you edit/append something at boot time, they are non persistent, you must manually change kernel arguments in configuration file, like in grub.conf or menu.lst


@abhaythehero:
If you have multiple Operating systems, you must append the word "lock" on each entry after you have md5crypted.

On GRUB 2, The procedure is similar, just press "e" at grub menu and locate to "linux /boot/viml..... remove "quiet"/"splash" or replace it with "single"

~Hackuin

Originally Posted by b0nd

was it? I wasn't aware of it.
Thanks to you and Hackuin for sharing knowledge.

Maybe because Grub2 has all more complications like hackuin stated.(and which i did'nt thought of )

Otherwise, in Grub the answer was right there in the menu.lst file in the form of comments ! They have documented the usage of password addition

@Hackuin Ohh .. I was wrong for grub.cfg. Thanks for correction

Yes, we have to change the /etc/grub.d/40_custom file ( in case of Debian derivatives like Ubuntu and Backtrack 5)

shamelessly copying from ubuntu forums :

sudo gedit /etc/grub.d/40_custom

and add the lines:

set superusers="user1"
# password_pbkdf2 user1 grub.pbkdf2.sha512.10000.biglongstring
password user1 unencryptedpasswordhere

where "user1" will be the user with permission to access the Grub2 command-line (or menu editing functions) and unencryptedpasswordhere will be the password required to access the Grub2 command-line. (The commented line is if a pbkdf2 encrypted password will be used).

Then, as usual:
sudo update-grub

specifically for grub 1

you can try method listed here (the difference is even if you are using single user mode debian still asks for root password)

http://blog.anantshri.info/how-to-ch...ord-in-debian/

this i posted way back around 2007....

Also grub 2 is a lot more tricky affair. @Hackuin Thanks for provided correct details......