Previous Section  < Day Day Up >  Next Section

Recipe 12.15. Locking Out Users from Individual GRUB Menu Entries

12.15.1 Problem

Your GRUB menu contains several entries. You don't want any user to be able to boot any entry; you would like to lock out users from some of the entries.

12.15.2 Solution

First set up a GRUB password (Recipe Recipe 12.14), then use the lock command in menu.lst:

title    Libranet GNU/Linux, kernel 2.4.21, single user mode


root     (hd0,0)

kernel   /boot/vmlinuz-2.4.21 root=/dev/hda1 ro single

GRUB reads menu.lst in order, so everything after lock is blocked from users who do not have the password. Don't lock out the title, or no one will be able to boot to this entry. Users without the password will only be able to boot to unlocked entries. If they try locked entries, they will get an error message:

Error 32: Must be authenticated

It's a good idea to use titles that tell users which ones are restricted:

Libranet GNU/Linux, kernel 2.4.21, single user mode, AUTHENTICATION REQUIRED

12.15.3 Discussion

Using a GRUB password and lock is useful on shared workstations—for example, in classrooms, training labs, and the workplace. However, anyone with physical access to the box can use a bootable rescue disk to gain unrestricted access. This can be foiled by disabling the rescue disks in the system BIOS, but don't forget how many different boot devices there are now: floppy disks, CDs, USB devices, SuperDisks, Jaz/Zip disks, Ethernet Wake-on-LAN, and probably some more I haven't thought of. Then set a BIOS password when you're done.

Still, a determined user can open the case and reset the BIOS password with a jumper on the motherboard. You could put a physical lock on the case, but even then a really determined person could haul the whole works out the door.

How far you need to go on boot security is obviously something you need to evaluate for your particular situation.

12.15.4 See Also

    Previous Section  < Day Day Up >  Next Section