#3039: GRUB-1.99 Security Patches
-------------------------+--------------------------------------------------
Reporter: mad77 | Owner: lfs-book@…
Type: enhancement | Status: new
Priority: lowest | Milestone: 7.2
Component: Book | Version: SVN
Severity: trivial | Keywords: Lock up GRUB
-------------------------+--------------------------------------------------
I thought to put this under "Hints" but was unable to create account there
so it will be posted here (LFS book).[[BR]]
Someone put it under HINTS please :)
'''GRUB''' - Most advanced bootloader and yet so "insecure". Long story
short. Anyone who has access to bootmenu can grant '''root''' access by
simply adding init=/bin/sh to grub command line. Think of it as Library,
School , Internet Caffee etc. Admin, place where people have access to
Keyboard Monitor Mouse but no physical access to machine. They can not put
Floppy / CD / DVD / USB stick / Firewire or anything into cardreader or
any other slots/ports , but still after reboot (provoked or simple error)
are presented with GRUB boot menu.[[BR]]
From that moment it is possible to edit boot cmdline or enter custom one
(press "e" or "c" keys) and grant root access (init=/bin/sh issue ...).
To secure the machine You can lock grub with adding password(s) to menu(s)
but it requires You (Admin) to be there and unlock the machine. [[BR]]
That can be pain in the ...[[BR]]
I wrote patches for GRUB-1.99 that remove "'''c'''" and "'''e'''" command
line options thus disabling user to edit / put custom boot cmdline to
grub. Either boot what You are offered or don't boot at all. Result =
Locked up grub, but no password required.
[[BR]]
There are also 2 "cosmetic" patches, one for "silent" grub and another to
say that it is locked up version of GRUB.
So here it is:
== GRUB 1.99 - Supress GRUB startup messages and lock grub up ==
Silent patch does as it says. It removes Welcoming / Loading messages.
{{{
Loading GRUB ...
Welcome to GRUB!
}}}
This one disables ''''c'''' , '''command line''' mode. No manual boot
parameters or playing with GRUB.
No Edit patch removes ''''e'''' key which enables ''' editing''' of boot
command-line.
And finally change Bootmesg to say that this version of '''GRUB is
LOCKED'''.[[BR]]
'''Installing GRUB'''
First applay patches if wanted :
{{{
patch -Np1 -i ../grub-1.99-silent.patch
patch -Np1 -i ../grub-1.99-nocmd.patch
patch -Np1 -i ../grub-1.99-noedit.patch
patch -Np1 -i ../grub-1.99-lockedmsg.patch
}}}
Configure GRUB and run make :
{{{
./configure --prefix=/usr --sysconfdir=/etc --disable-grub-emu-usb
--disable-efiemu --disable-werror --disable-nls &&
make
}}}
Finally install it as '''root''' :
{{{
make install
/sbin/ldconfig
}}}
Maybee Someone finds this usefull, i did.
Thanx
Mad
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/3039>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/lfs/faq.html
Unsubscribe: See the above information page
