Bug#545163: How to add a password to grub-pc

[Jeroen Massar]

It is not too hard to just have a password which blocks people from
editing the grub options (and thus let them do init=/bin/sh). That in
combo with a proper BIOS lock from booting from anything else but the
main disk will at least deter people from quickly changing the disk.
Of course as they have physical access they can do a lot of other
things, but it helps a bit ;)

(and can be very annoying if you forget your password though, but heck)

To just add a password which thus doesn't allow editing of boot entries:
8<-------------------------------------------------------
jeroen at purgatory:~$ cat /etc/grub.d/42_password
#!/bin/sh
exec tail -n +1 $0
# add a password so that grub entries can't be edited

set superusers="jeroen"
password jeroen mypassword
------------------------------------------------------->8

For having per-entry user limits though it will be a lot more complex.

It would be good to have MD5 or actually better SHA256 hashing there,
but then again if one can read the generated /boot/grub/grub.cfg then
you already have root and you can just change it anyway...

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20091027/8058ea5f/attachment.pgp>