id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
3039	GRUB-1.99 Security Patches	mad77	lfs-book@…	"I thought to put this under ""Hints"" but was unable to create account there so it will be posted here (LFS book).[[BR]]
Someone put it under HINTS please :)

'''GRUB''' - Most advanced bootloader and yet so ""insecure"". Long story short. Anyone who has access to bootmenu can grant '''root''' access by simply adding init=/bin/sh to grub command line. Think of it as Library, School , Internet Caffee etc. Admin, place where people have access to Keyboard Monitor Mouse but no physical access to machine. They can not put Floppy / CD / DVD / USB stick / Firewire or anything into cardreader or any other slots/ports , but still after reboot (provoked or simple error) are presented with GRUB boot menu.[[BR]]
From that moment it is possible to edit boot cmdline or enter custom one (press ""e"" or ""c"" keys) and grant root access (init=/bin/sh  issue ...).
To secure the machine You can lock grub with adding password(s) to menu(s) but it requires You (Admin) to be there and unlock the machine. [[BR]]
That can be pain in the ...[[BR]]
I wrote patches for GRUB-1.99 that remove ""'''c'''"" and ""'''e'''"" command line options thus disabling user to edit / put custom boot cmdline to grub. Either boot what You are offered or don't boot at all. Result = Locked up grub, but no password required.
[[BR]]
There are also 2 ""cosmetic"" patches, one for ""silent"" grub and another to say that it is locked up version of GRUB.

So here it is:

==  GRUB 1.99 - Supress GRUB startup messages and lock grub up ==

Silent patch does as it says. It removes Welcoming / Loading messages.

{{{
Loading GRUB ...
Welcome to GRUB!
}}}


This one disables ''''c'''' , '''command line''' mode. No manual boot parameters or playing with GRUB. 


No Edit patch removes ''''e'''' key which enables ''' editing''' of boot command-line.

And finally change Bootmesg to say that this version of '''GRUB is LOCKED'''.[[BR]]

'''Installing GRUB'''

First applay patches if wanted :

{{{
patch -Np1 -i ../grub-1.99-silent.patch
patch -Np1 -i ../grub-1.99-nocmd.patch
patch -Np1 -i ../grub-1.99-noedit.patch
patch -Np1 -i ../grub-1.99-lockedmsg.patch

}}}

Configure GRUB and run make :

{{{
./configure --prefix=/usr --sysconfdir=/etc --disable-grub-emu-usb --disable-efiemu --disable-werror --disable-nls && 
make
}}}

Finally install it as '''root''' :

{{{
make install
/sbin/ldconfig
}}}

Maybee Someone finds this usefull, i did.
Thanx
Mad


"	enhancement	closed	lowest	7.2	Book	SVN	trivial	invalid	Lock up GRUB