Opened 12 years ago
Closed 12 years ago
#3039 closed enhancement (invalid)
GRUB-1.99 Security Patches
| Reported by: | mad77 | Owned by: | |
|---|---|---|---|
| Priority: | lowest | Milestone: | 7.2 |
| Component: | Book | Version: | SVN |
| Severity: | trivial | Keywords: | Lock up GRUB |
| Cc: |
Description
I thought to put this under "Hints" but was unable to create account there so it will be posted here (LFS book).
Someone put it under HINTS please :)
GRUB - Most advanced bootloader and yet so "insecure". Long story short. Anyone who has access to bootmenu can grant root access by simply adding init=/bin/sh to grub command line. Think of it as Library, School , Internet Caffee etc. Admin, place where people have access to Keyboard Monitor Mouse but no physical access to machine. They can not put Floppy / CD / DVD / USB stick / Firewire or anything into cardreader or any other slots/ports , but still after reboot (provoked or simple error) are presented with GRUB boot menu.
From that moment it is possible to edit boot cmdline or enter custom one (press "e" or "c" keys) and grant root access (init=/bin/sh issue ...).
To secure the machine You can lock grub with adding password(s) to menu(s) but it requires You (Admin) to be there and unlock the machine.
That can be pain in the ...
I wrote patches for GRUB-1.99 that remove "c" and "e" command line options thus disabling user to edit / put custom boot cmdline to grub. Either boot what You are offered or don't boot at all. Result = Locked up grub, but no password required.
There are also 2 "cosmetic" patches, one for "silent" grub and another to say that it is locked up version of GRUB.
So here it is:
GRUB 1.99 - Supress GRUB startup messages and lock grub up
Silent patch does as it says. It removes Welcoming / Loading messages.
Loading GRUB ... Welcome to GRUB!
This one disables 'c' , command line mode. No manual boot parameters or playing with GRUB.
No Edit patch removes 'e' key which enables editing of boot command-line.
And finally change Bootmesg to say that this version of GRUB is LOCKED.
Installing GRUB
First applay patches if wanted :
patch -Np1 -i ../grub-1.99-silent.patch patch -Np1 -i ../grub-1.99-nocmd.patch patch -Np1 -i ../grub-1.99-noedit.patch patch -Np1 -i ../grub-1.99-lockedmsg.patch
Configure GRUB and run make :
./configure --prefix=/usr --sysconfdir=/etc --disable-grub-emu-usb --disable-efiemu --disable-werror --disable-nls && make
Finally install it as root :
make install /sbin/ldconfig
Maybee Someone finds this usefull, i did. Thanx Mad
Attachments (4)
Change History (5)
by , 12 years ago
| Attachment: | grub-1.99-silent.patch added |
|---|
by , 12 years ago
| Attachment: | grub-1.99-noedit.patch added |
|---|
by , 12 years ago
| Attachment: | grub-1.99-nocmd.patch added |
|---|
by , 12 years ago
| Attachment: | grub-1.99-lockedmsg.patch added |
|---|
comment:1 by , 12 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Just email be the hint directly to lfs-dev mailing list.