Hi Max!

On 02/13/2018 10:49 AM, Max Harmathy wrote:
The main reason why we have a patched version is to restrict the
fallback options using a password provided by the administrators (see
attachment). The fallback options basically provide the possibility to
drop to a root shell, which is not what you want on client systems in a
large enterprise environment.


I'm pretty sure it also works with the default GRUB package.

There is a way to set a password in the Ubuntu package. I haven't looked
up in which way that mechanism comes from upstream grub or is added by
debian/ubuntu. Anyway it lets you set a password for all the entries or
for none. Thus we use the debian debconf mechanism to set a password for
the fallback options only.

No, that's not what the password mechanism does, at least not the one
in the Debian package - I'm not sure whether this was patched in Debian
since I didn't check - but I am very confident that the password protection
in GRUB2 does exactly that: It allows booting the default entry but not
anything else.

We've been using it here at the physics department at FU Berlin (I'm
the SUSE guy you met who has his office here).

We very much appreciate the proposal for adding a simple configuration
interface as presented at FOSDEM. Please keep our use case in mind while
developing. I guess every desktop distribution would benefit from it,
since most of them have such fallback options.

Did you actually try setting a password without patch GRUB2? We
just added the following to /etc/grub.d/40_custom:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

#Password Protection
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.<password hash>

Adrian

--
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to