[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password protecting grub

On Fri 18 Mar 2016 at 18:59:39 (+0530), Raj Kiran Grandhi wrote:
> > > But, be advised that once you do this, all the menu entries in grub will
> > be
> > > inaccessible until the password is supplied.
> > > It would be nice to have a way of requiring a password only if it
> > required
> > > to boot a non-default entry.
> >
> > That's what
> >       menuentry "May be run by any user" --unrestricted {
> > is for. The documentation example runs thus:
> >
> >
> Yes, I had read through that. But that would mean editing
> /boot/grub/grub.cfg manually and losing the changes every time grub-update
> is run. What I could not figure out was to having the --unrestricted be
> appended automatically for the default entry (In my case, GRUB_DEFAULT=0
> which boots the default kernel) every time grub-update was run.

You've just appended
    set superusers=...
    password ...
to the end of /etc/grub.d/40_custom so carry on typing and add your
    unrestricted/default entry right there:

    set superusers=...
    password ...
    menuentry "May be run by any user" --unrestricted { ...

Obviously change "May be run by any user" into a more convenient and
obvious string like "normal" and give that name to grub-set-default so
that it gets written into the /boot/grub/grubenv file. (Check that.)
I'm assuming you've got GRUB_DEFAULT=saved in your /etc/default/grub
file (and that you refuse any automatic updating of that file).


Reply to: