How to protect GRUB to avoid init=/bin/bash

Normally the GRUB bootloader of our computer enable any people to edit it and change the kernel command line to add “init=/bin/bash” and get irrestricted access to all files in your system.

Fortunately GRUB lets you to add a password to it as explained here:

https://www.gnu.org/software/grub/manual/html_node/Security.html

All you need to do is edit your /boot/grub/grub.conf and add:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring

Also you need to create a password’s hash using this command:

$ grub-mkpasswd-pbkdf2

Then replace the above “grub.pbkdf2.sha512.10000.biglongstring” with this generated hash.

But this solution is not good enough because it will prevent the GRUB menu editing but also will annoy you asking a password everytime you try to boot your system.

You can fix it adding “- – unrestricted” to menuentry in the grub.conf:

menuentry 'Debian GNU/Linux' ... --unrestricted {
...

That is all!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s