LFCS – GRUB Installation and Security

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
364
Reaction score
403
Credits
13,257
After the previous article on resetting the Root password (https://linux.org/threads/lfcs-–-how-to-recover-root-password.25257/) you may wonder at the security of Linux. If you can use the GRand Unified Bootloader (GRUB) to bypass Root privileges then there seems to be no security.

In this article I will cover how to install GRUB as well as secure it so it will not be easy to gain Root privileges.

GRUB Installation

When you install any Linux distro you will most likely also have GRUB installed as well. In a few cases you may need to install GRUB later or even reinstall it if something has happened to it.

No matter the distro you can install GRUB with the following command:

Code:
sudo grub-install /dev/sdX

The ‘X’ is replaced with letter of you boot drive (in most cases it will be ‘/dev/sda’). Once GRUB is installed you can manipulate GRUB as you need to such as adding a Theme (https://linux.org/threads/grub-themes.24890/).

NOTE: The GRUB installation command is for BIOS systems which is what is covered on the LFCS exam. A UEFI system will be different.

Now you will need to know how to secure the GRUB menu if you need to do so.

Securing GRUB

GRUB can be secured to prevent users from editing the menu. Editing the menu can change the boot process and even allow the Root password to be changed. By securing GRUB you can prevent anyone from editing the menu at boot time by pressing ‘e’ at the GRUB menu.

By securing GRUB anyone attempting to edit the menu will be required to enter a username and password.

NOTE: It is important to understand that GRUB does not interact with Linux security. The username used is not taken from the Linux system. You can specify any username you wish as well as a distinct password separate from Linux.

We will be working with the file ‘/etc/grub.d/01_users’. If it exists then you may want to make a backup. If it doesn’t exist then you will need to create it. The standard ‘01_users’ file contains the following:

Code:
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
   source \${prefix}/user.cfg
   if [ -n "\${GRUB2_PASSWORD}" ]; then
      set superusers="root"
      export superusers
      password_pbkdf2 root \${GRUB2_PASSWORD}
   fi
fi
EOF

NOTE: If the file ‘01_users’ does not exist then you will need to create it and set the permissions to 755. To set the proper permissions you can use the command ‘sudo chmod 755 01_users’.

To set up the username as “Jarret” and a case-sensitive password of “CentOS” the file would be changed to:

Code:
#!/bin/sh -e
cat << EOF
    set superusers="jarret"
    password jarret CentOS
EOF

Before rebooting to test the password you need to update GRUB by using the command:

Code:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

At this point if you reboot and press ‘e’ on a Grub Menu entry and enter the username you specified when prompted. You will then be asked for the password which is case-sensitive. Once you enter the correct username and password you can edit the selected entry. If you press Escape to go back and choose a different entry and press ‘e’ you will not be prompted for the username and password again.

You may look at the ‘01_users’ file and not feel safe with a plain text password. Let’s look at using an encrypted password.

To create an encrypted password you use the command:

Code:
sudo grub2-mkpasswd-pbkdf2

Once you have typed the command you may be prompted for the password to use ‘sudo’. The prompt will start with ‘[sudo]’ as follows:

[sudo] password for jarret:

You will then be prompted for the password you want encrypted and then to verify it, like as follows:

[jarret@localhost ~]$ sudo grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.B7B3C52579FB9147F0ADC3F390C3B6DA63C94C736ADE4F5C5F22E767E925941BCA2E240FC25BDF687D91BB795327B90AD518905F09C9311EC38F3C74613D2D86.1E67B52F69F14E4304C3FBDF18940C880702BF0A05D3B7D7D422747F33ECF61D044F83E882D10BCD2D4277851E5E485B12CF9BB44C7E45B13D268CB502075606


You will need to highlight and copy everything after the ‘your password is’ section. It will replace the password in the ‘01_users’ file:

Code:
#!/bin/sh -e
cat << EOF
    set superusers="jarret"
    password_pbkdf2 jarret grub.pbkdf2.sha512.10000.B7B3C52579FB9147F0ADC3F390C3B6DA63C94C736ADE4F5C5F22E767E925941BCA2E240FC25BDF687D91BB795327B90AD518905F09C9311EC38F3C74613D2D86.1E67B52F69F14E4304C3FBDF18940C880702BF0A05D3B7D7D422747F33ECF61D044F83E882D10BCD2D4277851E5E485B12CF9BB44C7E45B13D268CB502075606
EOF

You will also need to add ‘_pbkdf2’ to end of ‘password’ and before the username. Once this is done you can save the file and you will need to update GRUB:

Code:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: If you are worried about anyone changing the ‘01_users’ file and removing the password you can edit your BIOS and remove the ability to boot from a USB device. Any one booting from a USB device can load Linux and access the files on your hard disk making changes to them.

Ubuntu

The commands can be done on an Ubuntu system as easily as a CentOS system. The commands are slightly different though.

NOTE: The username and password are required to not only edit the setting but make any selection of the GRUB menu.

To start you need to create the ‘01_users’ file in ‘/etc/grub.d/’ and should contain:

Code:
#!/bin/sh -e
cat << EOF
       set superusers="jarret"
       password jarret Ubuntu
EOF

The very important part is the next command:

Code:
sudo chmod 755 01_users

To make the changes take effect you need to perform one of the following commands:

Code:
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo update-grub

The commands both perform the same function by updating GRUB for the changes to be active at the next reboot.

If you want the password to be encrypted and not in plain text then use the command:

Code:
sudo grub-mkpassword-pbkdf2

You then need to possibly enter the password fir ‘sudo’ and then the password for encryption and verify it. The output will be like the following if the password is ‘Ubuntu’:

PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.EBD49BEBD5F96273BB8C5A3ADD5A4C40059A94AFB5853F1B100B8C78899C9B4966DFB5FA4E8DC7D66DCDC1D6E6DA1E7EAEAA4CEC332C469706A9CB4784213095.81EA82C03BF9BFACDB6231B404DACF9873ECD16EB5978B99C03054876F855E9123E62B974A5F833BA52C34996CA4F0B42CDD7FC653F2FA4BC46DECE21DC3E0EC

You will need to copy the whole portion after ‘your password is’ and paste it into ‘/etc/grub.d/01_users’ after the specified username as shown:

Code:
#!/bin/sh -e
cat << EOF
    set superusers="jarret"
    password_pbkdf2 jarret grub.pbkdf2.sha512.10000.4CB40ACD57816D9304A961E6342329326E68BF952E6DD89CFAF517B1C7E4F9AEDAA46FBF0DB12FDBD90DE3041A2DB09EA259DD84120ACDB98021A0BC617E806A.8D821C596FA420E7EF7F08D74C342690A661CBBE18958EB86492829F25E8E42BE9CF472746198D248EF632C4B6C35215D87C488012C6929135B32A0C42DA74A3
EOF

Once the information is saved you need to update GRUB using one of the two methods listed previously.

Keep in mind the note made about a BIOS password. If anyone can boot from a USB device into Linux they can edit the ‘01_users’ file and remove your password. A person could then edit GRUB and change the Root password. If you have a server which requires high security then you would place it in a secure room to prevent such things from occurring.

For the LFCS exam make sure you understand the process of making and setting a GRUB password.
 
Last edited:


Top