It is not too hard to just have a password which blocks people from editing the grub options (and thus let them do init=/bin/sh). That in combo with a proper BIOS lock from booting from anything else but the main disk will at least deter people from quickly changing the disk. Of course as they have physical access they can do a lot of other things, but it helps a bit ;)
(and can be very annoying if you forget your password though, but heck) To just add a password which thus doesn't allow editing of boot entries: 8<------------------------------------------------------- jer...@purgatory:~$ cat /etc/grub.d/42_password #!/bin/sh exec tail -n +1 $0 # add a password so that grub entries can't be edited set superusers="jeroen" password jeroen mypassword ------------------------------------------------------->8 For having per-entry user limits though it will be a lot more complex. It would be good to have MD5 or actually better SHA256 hashing there, but then again if one can read the generated /boot/grub/grub.cfg then you already have root and you can just change it anyway... Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
