grub: Authentication and authorisation
18.1 Authentication and authorisation in GRUB
=============================================
By default, the boot loader interface is accessible to anyone with
physical access to the console: anyone can select and edit any menu
entry, and anyone can get direct access to a GRUB shell prompt. For
most systems, this is reasonable since anyone with direct physical
access has a variety of other ways to gain full access, and requiring
authentication at the boot loader level would only serve to make it
difficult to recover broken systems.
However, in some environments, such as kiosks, it may be appropriate
to lock down the boot loader to require authentication before performing
certain operations.
DONTPRINTYET The 'password' (⇒password) and 'password_pbkdf2' (*noteDONTPRINTYET The 'password' (⇒password) and 'password_pbkdf2' (⇒
password_pbkdf2) commands can be used to define users, each of which
has an associated password. 'password' sets the password in plain text,
requiring 'grub.cfg' to be secure; 'password_pbkdf2' sets the password
hashed using the Password-Based Key Derivation Function (RFC 2898),
requiring the use of 'grub-mkpasswd-pbkdf2' (⇒Invoking
grub-mkpasswd-pbkdf2) to generate password hashes.
In order to enable authentication support, the 'superusers'
environment variable must be set to a list of usernames, separated by
any of spaces, commas, semicolons, pipes, or ampersands. Superusers are
permitted to use the GRUB command line, edit menu entries, and execute
any menu entry. If 'superusers' is set, then use of the command line
and editing of menu entries are automatically restricted to superusers.
Setting 'superusers' to empty string effectively disables both access to
CLI and editing of menu entries. Note: The environment variable needs
to be exported to also affect the section defined by the 'submenu'
command (⇒submenu).
Other users may be allowed to execute specific menu entries by giving
a list of usernames (as above) using the '--users' option to the
'menuentry' command (⇒menuentry). If the '--unrestricted' option
is used for a menu entry, then that entry is unrestricted. If the
'--users' option is not used for a menu entry, then that only superusers
are able to use it.
Putting this together, a typical 'grub.cfg' fragment might look like
this:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure
menuentry "May be run by any user" --unrestricted {
set root=(hd0,1)
linux /vmlinuz
}
menuentry "Superusers only" --users "" {
set root=(hd0,1)
linux /vmlinuz single
}
menuentry "May be run by user1 or a superuser" --users user1 {
set root=(hd0,2)
chainloader +1
}
The 'grub-mkconfig' program does not yet have built-in support for
generating configuration files with authentication. You can use
'/etc/grub.d/40_custom' to add simple superuser authentication, by
adding 'set superusers=' and 'password' or 'password_pbkdf2' commands.