confused for booting security

Tim ignored_mailbox at yahoo.com.au
Sun Jan 9 09:04:39 UTC 2011


On Sun, 2011-01-09 at 13:32 +0530, Parshwa Murdia wrote:
> which are just below the name of the OS in
> the /boot/grub/grub.conf file):-
>  
> password --md5 $1$X58Kw/$v71Qlprzt8f4U9uOu46nk0
> lock
>  
> and after that I press 'b' to boot without entering the encrypted
> password during the booting time.
>  
> If this is the case, anyone can press 'e' and then remove those two
> line and then 'b' to boot without ever entering the encrypted
> passwords, then what would be the purpose of encrypting that? It would
> be okay for trespassers too!

In the grub.conf file, when there's a password and lock command above
all the boot choices, they'll need to enter the password before they can
do anything (pick a choice, temporarily edit what grub will do).  It's
where you place the lock command that's important, in this case.  Like
in this example:

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,1)/grub/splash.xpm.gz
password --md5 $supercalifragilistic.
lock

title Fedora (2.6.27.25-78.2.56.fc9.i686)
        root (hd0,1)
        kernel /vmlinuz-2.6.27.25-78.2.56.fc9.i686 ro root=/dev/VolGroup00/LogVol00 quiet
        initrd /initrd-2.6.27.25-78.2.56.fc9.i686.img

title Fedora (2.6.27.24-78.2.53.fc9.i686)
        root (hd0,1)
        kernel /vmlinuz-2.6.27.24-78.2.53.fc9.i686 ro root=/dev/VolGroup00/LogVol00 quiet
        initrd /initrd-2.6.27.24-78.2.53.fc9.i686.img

title Memtest86+ (2.11)
        lock
        root (hd0,1)
        kernel --type=netbsd /elf-memtest86+-2.11


When the lock or password commands are in the boot stanzas, then the
password will only apply to those boot choices.  If there's some other
unlocked choice, they can get into the command line.

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,1)/grub/splash.xpm.gz
password --md5 $supercalifragilistic.

title Fedora (2.6.27.25-78.2.56.fc9.i686)
        lock
        root (hd0,1)
        kernel /vmlinuz-2.6.27.25-78.2.56.fc9.i686 ro root=/dev/VolGroup00/LogVol00 quiet
        initrd /initrd-2.6.27.25-78.2.56.fc9.i686.img

title Fedora (2.6.27.24-78.2.53.fc9.i686)
        lock
        root (hd0,1)
        kernel /vmlinuz-2.6.27.24-78.2.53.fc9.i686 ro root=/dev/VolGroup00/LogVol00 quiet
        initrd /initrd-2.6.27.24-78.2.53.fc9.i686.img

title Memtest86+ (2.11)
        root (hd0,1)
        kernel --type=netbsd /elf-memtest86+-2.11

The above example, anyone can pick options from the boot menu.  Though
they'll need to type in a password for the first two to work, the last
one doesn't need a password.  They can go into it, erase the command
lines, type in any command (including ones that will let them boot).

Note that if they can boot the computer by some other way, such as
insert a CD-ROM or floppy, then they can bypass this grub configuration,
completely.  So you want to turn off other boot choices in your BIOS.

Likewise, if they pull the drive out and plug it into another computer
of their own, they can rewrite the grub.conf file without any
passswords.

So, this only stops someone sneaking in by sitting at your computer
keyboard.  If you really need to secure the computer, you have to do
other things.

e.g. Encrypt the entire contents that you put on the drive.  Fedora
supports this.  Of course, you'll need to type in a password each time
you boot.  And it really should be a different password than you've used
anywhere else.  So nobody can break in because they've found a way to
snoop on you sending your email password, for instance.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.





More information about the users mailing list