|< Day Day Up >|
Recipe 12.15. Locking Out Users from Individual GRUB Menu Entries
First set up a GRUB password (Recipe Recipe 12.14), then use the lock command in menu.lst:
title Libranet GNU/Linux, kernel 2.4.21, single user mode lock root (hd0,0) kernel /boot/vmlinuz-2.4.21 root=/dev/hda1 ro single
GRUB reads menu.lst in order, so everything after lock is blocked from users who do not have the password. Don't lock out the title, or no one will be able to boot to this entry. Users without the password will only be able to boot to unlocked entries. If they try locked entries, they will get an error message:
Error 32: Must be authenticated
It's a good idea to use titles that tell users which ones are restricted:
Libranet GNU/Linux, kernel 2.4.21, single user mode, AUTHENTICATION REQUIRED
Using a GRUB password and lock is useful on shared workstations—for example, in classrooms, training labs, and the workplace. However, anyone with physical access to the box can use a bootable rescue disk to gain unrestricted access. This can be foiled by disabling the rescue disks in the system BIOS, but don't forget how many different boot devices there are now: floppy disks, CDs, USB devices, SuperDisks, Jaz/Zip disks, Ethernet Wake-on-LAN, and probably some more I haven't thought of. Then set a BIOS password when you're done.
Still, a determined user can open the case and reset the BIOS password with a jumper on the motherboard. You could put a physical lock on the case, but even then a really determined person could haul the whole works out the door.
How far you need to go on boot security is obviously something you need to evaluate for your particular situation.
12.15.4 See Also
|< Day Day Up >|