Whole document tree
9. Protecting your computer from cracking
You may be interested in how to prevent ordinary users from doing whatever they like, if you share your computer with other people. So this chapter describes how to improve the security of GRUB.
One thing which could be a security hole is that the user can do too
many things with GRUB, because GRUB allows to modify its configuration
and run arbitrary commands at run-time. For example, the user can read
even `/etc/passwd' in the command-line interface by the command
Thus, GRUB provides password feature, so that only administrators
can start the interactive operations (i.e. editing menu entries and
entering the command-line interface). To use this feature, you need to
run the command
If this is specified, GRUB disallows any interactive control, until you press the key p and enter a correct password. The option `--md5' tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB assumes the `PASSWORD' is in clear text.
Then, cut and paste the encrypted password to your configuration file.
Also, you can specify an optional argument to
In this case, GRUB will load `/boot/grub/menu-admin.lst' as a configuration file when you enter the valid password.
Another thing which may be dangerous is that any user can choose any menu entry. Usually, this wouldn't be problematic, but you might want to permit only administrators to run some of your menu entries, such as an entry for booting an insecure OS like DOS.
GRUB provides the command
You should insert
You can also use the command
This document was generated by Jason Thomas on February, 4 2002 using texi2html