Prevent grub bypass

In my previous blog post, I wrote on how to bypass grub in Linux. Therefore in this blog we will look at how to prevent grub bypass. So we know by now that sometimes this can be problematic. But sometimes when we don’t need security we can simply grub as it is. If you need to get a clear idea about how to bypass grub, please read my previous blog post here first.

Now that we are 100% aware about the problem here, let’s look at the solution. The solution to this problem is adding authentication to grub. By doing this, we can limit the user from booting into or editing the current entries of the boot menu. Additionally, we can tweak this to enable booting without a password. In that case, only if the user needs to modify a boot entry, he needs to give the password. Alright lets do this!

Prevent grub bypass – methodology

Firstly, I recommend that you try this out in a VM and get it right before you actually implement it. Most of the commands here will require superuser priviliges. So execute as sudo where needed.

To get started issue the command:
grub-mkpasswd-pbkdf2
Upon issuing this command you have to enter the desired password for grub. After you issue the password, you will see the hash value for the password right below.

Go ahead and copy the hash value. Next you need to edit a grub config file. To do this issue the command.
nano /etc/grub.d/40_custom
Now at the following lines to the bottom of the file.
set superusers="<username>"
password_pbkdf2 "<username hash>

Press Ctrl + X to exit. Then it will you need to save your changes. Enter Y and it will be saved. Finally issue the command
update-grub

And you’re done!

Lastly, what you just did makes it mandatory for a user to enter the password to even boot in to the system. Suppose you want to relax these controls a bit there is room for customization. For that you will need to read through this. Until next time! 🙂