On 2015-04-13 00:36, gogalthorp wrote:
>
> Here is the thing though if you lock it down like you want to then if
> there is a problem no one will be bale to fix it. Say a kernel update is
> broken normally going to advanced mode allows booting a previous kernel.
> If the Video is broken then it may be needed to boot in
> advanced-recovery mode. At boot it is unknown who is booting.
Grub has had a feature to request a password for ages. I have never used
it, but it should just do what the OP is asking about.
The manual talks about it:
File: grub.info, Node: Security, Next: Images, Prev: Preset Menu,
Up: Top
9 Protecting your computer from cracking
You may be interested in how to prevent ordinary users from doing
whatever they like, if you share your computer with other people. So
this chapter describes how to improve the security of GRUB.
One thing which could be a security hole is that the user can do too
many things with GRUB, because GRUB allows one to modify its
configuration and run arbitrary commands at run-time. For example, the
user can even read /etc/passwd' in the command-line interface by the command
cat’ (*note cat::). So it is necessary to disable all the
interactive operations.
Thus, GRUB provides a “password” feature, so that only administrators
can start the interactive operations (i.e. editing menu entries and
entering the command-line interface). To use this feature, you need to
run the command `password’ in your configuration file (*note
password::), like this:
password --md5 PASSWORD
If this is specified, GRUB disallows any interactive control, until
you press the key
and enter a correct password. The option --md5' tells GRUB that
PASSWORD’ is in MD5 format. If it is omitted, GRUB
assumes the `PASSWORD’ is in clear text.
… (continues)
Another thing which may be dangerous is that any user can choose any
menu entry. Usually, this wouldn’t be problematic, but you might want to
permit only administrators to run some of your menu entries, such as an
entry for booting an insecure OS like DOS.
GRUB provides the command `lock’ (*note lock::). This command always
fails until you enter the valid password, so you can use it, like this:
title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1
However, the above doc is for grub 1. I do not know about grub 2, but
I’d expect similar features.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))