Re: Password protecting grub

To: debian-user@lists.debian.org
Subject: Re: Password protecting grub
From: David Wright <deblis@lionunicorn.co.uk>
Date: Wed, 16 Mar 2016 09:25:08 -0500
Message-id: <[🔎] 20160316142508.GA7991@alum>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] CANy4JSiQEJFHAm39OdmRYdKr62nn_h84sbBr6iY3x0FnCph7Hg@mail.gmail.com>
References: <[🔎] CANy4JSiQEJFHAm39OdmRYdKr62nn_h84sbBr6iY3x0FnCph7Hg@mail.gmail.com>

On Wed 16 Mar 2016 at 17:07:33 (+0530), Himanshu Shekhar wrote:
>    I wish to password protect grub bootloader. I tried the steps available on
>    online manuals as of RedHat, Ubuntu, etc. All experiments were on a
>    VirtualBox machine, so my system remains safe. However, I didn't get
>    success. 
>    Every time I write the line to the config file and run update-grub, I get
>    the response 
>    "password : command not found".
>    I made experiments with the following files:
>      /etc/grub.d/00_header
>      /etc/grub.d/40_custom
>      /boot/grub/grub.cfg
>    adding 
>    " set superusers="root" 
>      password root rootpassword
>    "
>    or 
>    " password mypassword "
>    or 
>    " password --md5 $$$%#$ "
>    different times. Each time, I had the same error generated.
>    My current system, where changes are expected has Debian Stretch on a UEFI
>    installation. So, I have no idea whether the things are same or different
>    for UEFI and Legacy. 

Nor me. I can only look at jessie/wheezy on BIOS. However...

You've modified three files at various times with three changes.
In particular, look at your changing /boot/grub/grub.cfg and then
running update-grub. update-grub will immediately overwrite
/boot/grub/grub.cfg so your change should be irrelevant. Because
you saw an error message, you must have left a mistake in one of
the /etc/grub.d/ files.

1) So the first thing to do is to make sure that all these /etc/grub.d/
files are correct. Then stick to modifying /etc/grub.d/40_custom
which is the one provided for that purpose. When you modify it,
make sure you don't change the lines at the top of this file.

2) As an alternative to (1), if those files are screwed but your
/boot/grub/grub.cfg is OK, make your modifications (set superusers
and password) directly to /boot/grub/grub.cfg but don't run
update-grub (which would undo them). When you reboot, the extra
lines will be read and acted upon.

A scenario that could give the symptoms you describe:
Modifying /etc/grub.d/40_custom but messing up the top few lines
by inserting "password user1 insecure-password" into it.
Now, whenever update-grub runs, it will try and execute the command
"password" rather than writing that line into /boot/grub/grub.cfg.

BTW the advice from jdd was poor. You don't want to be running
the real passwd command in this context. As you say you've tried
that, you should check that you haven't unintentionally changed
any passwords; unlikely, I know, as there's normally an exchange
of dialogue involved.

>    Also, when I tried to install grub (for grub-md5-crypt), it asked to
>    remove grub-efi and install grub-pc, grub-legacy and their team.
>    I need EFI because I have Windows as dual boot, I haven't used for long,
>    but I still want to retain it.

I can't help you there. My jessie has
grub2_2.02~beta2-22+deb8u1
grub2-common_2.02~beta2-22+deb8u1
grub-common_2.02~beta2-22+deb8u1
grub-pc_2.02~beta2-22+deb8u1
grub-pc-bin_2.02~beta2-22+deb8u1
and wheezy has
grub2-common_1.99-27+deb7u3
grub-common_1.99-27+deb7u3
grub-pc_1.99-27+deb7u3
grub-pc-bin_1.99-27+deb7u3
and I don't know why you would get offered anything as old as 0.97-67/70.

Cheers,
David.

Reply to:

Follow-Ups:
- Re: Password protecting grub
  - From: Himanshu Shekhar <irm2015006@iiita.ac.in>

References:
- Password protecting grub
  - From: Himanshu Shekhar <irm2015006@iiita.ac.in>

Prev by Date: Help
Next by Date: Re: Help
Previous by thread: Re: Password protecting grub
Next by thread: Re: Password protecting grub
Index(es):
- Date
- Thread