How to protect GRUB to avoid init=/bin/bash

Normally the GRUB bootloader of our computer enable any people to edit it and change the kernel command line to add “init=/bin/bash” and get irrestricted access to all files in your system.

Fortunately GRUB lets you to add a password to it as explained here:

All you need to do is edit your /boot/grub/grub.conf and add:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring

Also you need to create a password’s hash using this command:

$ grub-mkpasswd-pbkdf2

Then replace the above “grub.pbkdf2.sha512.10000.biglongstring” with this generated hash.

But this solution is not good enough because it will prevent the GRUB menu editing but also will annoy you asking a password everytime you try to boot your system.

You can fix it adding “- – unrestricted” to menuentry in the grub.conf:

menuentry 'Debian GNU/Linux' ... --unrestricted {

That is all!