wish to prevent grub2 procedure to change root password


Linux localhost.localdomain 5.3.18-lp152.60-default #1 SMP Tue Jan 12 23:10:31 UTC 2021 (9898712) x86_64 x86_64 x86_64 GNU/Linux

I wish to prevent grub2 procedure to change root password by boot grub2 procedure : "grub menu, press e to edit " … or any attempt to access my operating system by modifying grub2 configuration.

i tried to apply this procedure : https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-grub2.html

especially :
"sudo grub2-mkpasswd-pbkdf2

then editing /etc/grub.d/40_custom, by copy grub.pbkdf2.sha512…

set superusers=“root”
password_pbkdf2 root grub.pbkdf2.sha512…
sudo grub2-mkconfig -o /boot/grub2/grub.cfg"

but this is not my goal : i wish to keep automatic grub2 boot, but this procedure avoid automatic boot :|: i am obliged to type password at boot grub2 to authorize grub boot.

Can you help me how to prevent grub2 menu procedure to change root password please, or change grub2 configuration , with keeping automatic grub2 boot ?Thanks

Via YaST Bootloader, set timeout to zero and check hide grub option. In BIOS hide the boot key option as well (and/or require BIOS password).

You need to set unrestricted_menu environment variable:

set unrestricted_menu=y

Note that it will allow to boot any menu entry without authentication. It is possible to allow selected menu entries by using “menuentry … --unrestricted” but standard grub-mkconfig scripts do not have any support for it.

Even if the GRUB2 configuration is changed, and, assuming that, the system still boots as a result of that change – without knowledge of the machine’s system passwords – such as, the password of the user “root”, the attacker will not be able to access anything on the machine …

  • At least, that was the case before CVE-2020-10713 …

I assume that, you’re worried about this statement –

Even before the operating system is booted, GRUB 2 enables access to file systems. Users without root permissions can access files in your Linux system to which they have no access after the system is booted.

Which, may be related to the GRUB2 “BootHole” CVE-2020-10713 UEFI Secure Boot issue …

[HR][/HR]Now it’ll get really interesting …

  • “rpm --query --changelog grub2-x86_64-efi”

* Fr Jul 03 2020 Michael Chang <mchang@suse.com>
- Fix for **CVE-2020-10713** (bsc#1168994)
  * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
  * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
  * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
  * 0004-calloc-Use-calloc-at-most-places.patch
  * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
  * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
  * 0007-font-Do-not-load-more-than-one-NAME-section.patch
- Fix CVE-2020-15706 (bsc#1174463)
  * 0008-script-Remove-unused-fields-from-grub_script_functio.patch
  * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
- Fix CVE-2020-15707 (bsc#1174570)
  * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
- Use overflow checking primitives where the arithmetic expression for buffer
  allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
  * 0001-add-support-for-UEFI-network-protocols.patch
  * 0003-bootp-New-net_bootp6-command.patch
  * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
  * grub2-btrfs-09-get-default-subvolume.patch
  * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
  * grub2-grubenv-in-btrfs-header.patch

Bottom line – I suspect that, the CVE-2020-10713 issue was fixed around August last year …