Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 13th March 2009, 11:29 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,289
How To: Improve Boot-up Security - Password Protect Grub and Single User Mode

There are a couple of old sayings in the business: "There's no security without physical security"; and, "The greatest threat comes from within". If your computer is in a locked room and only you access it, or everyone who has access is trusted implicitly, then fine. If not, read on.

What if I told you that, if you let me boot your typical Fedora installation, I could probably get root access in around a minute without you telling me your passwords?

I'm not referring to a BIOS backdoor - though these are rumoured to exist in some manufacturers' BIOS. Nor am I referring to resetting your CMOS memory - though if you lock your computer's case, you can effectively neutralise that weakness. And I'm not referring to using a plug-in hardware key logger to grab your root password - but someone could, and if an untrusted individual can walk past your desktop computer when you're absent then you might want to check the integrity of your keyboard connection from time to time. Of course, there are other, less likely security threats.

What I'm going to use is "single user mode". In brief, Linux uses Run Levels to define pre-set boot environments (sequences of boot-up tasks). Often these will be different from one distro to the next, although Run Level 0 and 6 are always the same, being Halt and Reboot, respectively. In Fedora, Run Level 1 (or S) is single user mode, where the user is given a root shell for maintenance or recovery. Without going into the subtle differences between Run Level 1 and S (just accept that both are single user mode), what you need to know is that the Grub bootloader permits a user to select single user mode by editing Grub boot parameters at boot time, and that this functionality is available unless you have defined a bootloader password (note 1). Furthermore, single user mode in Fedora is not password protected. At the end of this post are the steps to enter single user mode - try it and see for yourself.

To mitigate the risks, you have three options, any or all of which may be used to add degrees of protection:
(1) Encrypt your hard-drive
(2) Add password protection to Grub
(3) Add password protection to single user mode

Hard-Drive Encryption

Encrypting your hard-drive is a useful option on its own, as it protects your data against someone managing to boot from, say, a LiveCD (possible if, for example, you don't enforce a BIOS password) or against someone gaining direct access to your hard-drive (e.g. from a stolen laptop or external hard-drive). Whole disk encryption via LUKS is now offered in Fedora during installation, but that option will not encrypt your boot partition, meaning that the Linux kernel, and hence the rest of the system, remain vulnerable without employing other security mechanisms. Encryption is a very involved topic and I won't cover it further here.

Grub Password

Password-protecting Grub can prevent booting an operating system, and prevent other Grub operations (note 2), without the password(s). You can set a different password for each OS, use the same password for all OSs, or you can restrict password protection to just preventing interactive operation, which includes editing boot parameters. There's plenty of information available on configuring Grub not the least of which is the Grub online manual. Fedora offers you the opportunity to set a bootloader password in the Anaconda installer, which will, without further configuration, prevent changing boot parameters without the password.

Did you decline to set a bootloader password during Fedora installation? If so, you're not alone - many people don't set a password, especially since it is disabled by default and the setting is easy to overlook. You can follow the advice below to set a Grub password now and read on to password protect single user mode.

In a terminal:
Code:
grub-md5-crypt
... enter a suitable password for your bootloader (and re-enter to confirm). The resulting output is the password hash that we need to store in file /boot/grub/grub.conf. In the terminal (and note, we'll first make a backup copy of grub.conf in case you make a mistake):
Code:
su -
cp /boot/grub/grub.conf /boot/grub/old_grub.conf
gedit /boot/grub/grub.conf
Near the top of the file, you'll see text that looks something like:
Code:
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
In this section (and I suggest best placed immediately below the line highlighted in bold) add this new line:
Code:
password --md5 paste-your-password-hash-here
Save and exit. That's it. Your bootloader is now protected by a password. For the most part, you won't need to use your bootloader password, but it's an important security enhancement to have it set.

See here and here for further advice on setting and using Grub passwords, including protecting individual operating systems.

Single User Mode Password

In addition to, or in lieu of, password-protecting Grub, you can password-protect single user mode, though it offers less protection when used alone.

You can easily find information online about how password-protecting single user mode used to be done, but things have changed. With the introduction of Upstart in F9, Fedora start-up tasks are invoked a bit differently, and the differences will continue to grow as Upstart matures. For instance, file /etc/inittab has been mostly deprecated - it now serves only to define the default run level and all other configuration is ignored. Upstart generally gets its information from files in directory /etc/event.d, and in this case the file of interest is /etc/event.d/rcS-sulogin.

What we need to do is edit file /etc/event.d/rcS-sulogin as root. In a terminal:
Code:
su -
gedit /etc/event.d/rcS-sulogin
You'll see a section that looks like this:
Code:
script
	runlevel --set S >/dev/null || true
	plymouth --hide-splash || true
	exec /bin/bash
end script
Note the line highlighted in bold. Change it to read:
Code:
        exec /sbin/sulogin
Save and exit. That's it. Now, if anyone enters single user mode, they'll be presented with a prompt for the root password instead of being given a root shell.

----------------------------------------------------

Steps to Enter Single User Mode

Reboot. When the Grub splash or countdown is displayed, press any key to display the Grub menu. If you have a bootloader password set, you will have to press 'p' and enter the password at this point. Highlight your desired Fedora kernel (i.e. menu item) and hit 'e'. Next, you will find yourself in the Grub edit menu with the contents of your highlighted entry displayed. Use the arrow keys to select the line beginning with 'kernel ...' and hit 'e' to edit it. The line will be displayed - scroll to the end and append a space followed by an 's' or the word 'single', then hit 'Enter'. Now hit 'b' and you will boot to single user mode. If you have enabled password protection in single user mode, you should eventually see:
Code:
Give root password for maintenance
(or type Control-D to continue):
Otherwise, you'll be presented with a root shell!

Notes

1: Fedora's Anaconda installer gives you the opportunity to set a Grub bootloader password during Fedora installation. Installers for other distros may not do this, so if you installed Grub from another distro you should check your Grub configuration manually. Note that the gfxmenu included with Grub in some other distros does not work when a bootloader password is set. If you installed a different bootloader (i.e. not Grub) then there may be no password facility. When more than one operating system is installed, you should use a method or methods that protect all of them.

2: Grub has a console (its own limited command line) - available commands include 'cat', which can display the contents of a file.
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #2  
Old 13th March 2009, 11:30 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,289
I'm not perfect and neither are my posts, so if you spot a mistake of have a suggestion for improvement to this how-to, feel free to reply.
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #3  
Old 13th March 2009, 11:57 AM
sideways Offline
Retired User
 
Join Date: Oct 2004
Location: London, UK
Posts: 4,999
looks good.

Nice guide and all up to date and relevant to F10.

Reply With Quote
  #4  
Old 13th May 2009, 05:07 AM
bigmacbb63 Offline
Registered User
 
Join Date: Feb 2006
Location: southern california
Posts: 521
Thanks evil bert your the man!

bigmac
Reply With Quote
  #5  
Old 13th May 2009, 09:47 AM
leigh123linux
Guest
 
Posts: n/a
Quote:
Originally Posted by Evil_Bert View Post
I'm not perfect and neither are my posts, so if you spot a mistake of have a suggestion for improvement to this how-to, feel free to reply.
Perhaps a warning should be added to the Single User Mode Password
section stating that this will make it impossible to reset the password if forgotten .
Reply With Quote
  #6  
Old 14th May 2009, 02:53 AM
ogetbilo Offline
RPMFusion Dev
 
Join Date: May 2004
Location: PA
Age: 35
Posts: 466
Is there a way that I can use my Dvorak keyboard layout when I'm in grub? I can't find any documentation about this.

Setting the password in a different layout than the one grub uses is not very useful.

I'm sure there are many people here using different layouts than QWERTY. Maybe you should add to your howto a section about keyboard layouts in grub.
__________________
oget, the "Pulse against"

Thnigs that rule: Angelina, TKT, Linux, Supergravity, Alcohol...
Reply With Quote
  #7  
Old 14th May 2009, 03:08 AM
sideways Offline
Retired User
 
Join Date: Oct 2004
Location: London, UK
Posts: 4,999
Quote:
Originally Posted by ogetbilo View Post
Is there a way that I can use my Dvorak keyboard layout when I'm in grub? I can't find any documentation about this.

Setting the password in a different layout than the one grub uses is not very useful.

I'm sure there are many people here using different layouts than QWERTY. Maybe you should add to your howto a section about keyboard layouts in grub.
http://users.dakotacom.net/~donut/pr...tml#grubdvorak

add to top of grub.conf

(the gzip link works)
Reply With Quote
Reply

Tags
bootup, grub, improve, mode, password, protect, security, single, user

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Grub password protect other OS soupisgood84 Fedora Focus 3 29th January 2009 10:09 PM
Cant Recover Root Password, Not Even in Single Mode cteel2004 Using Fedora 1 26th December 2008 08:43 PM
Single-user mode kirios Security and Privacy 14 2nd October 2007 07:44 PM
Single user mode: Give root password for maintenance Plankton Using Fedora 2 13th June 2007 05:16 PM
boot into single user mode lothario Using Fedora 6 26th May 2005 07:59 AM


Current GMT-time: 18:37 (Friday, 31-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Magway Travel Photos - Bearsden Instagram Photos - Woodland Hills