Ubuntu – How to secure grub recovery mode

grub2Security

When I boot system in to recovery mode from GRUB menu, I can get in to all powerful root without entering any password, thus insecure.

How I can secure this and ensure that a password is asked every time I attempt to access root in recovery mode?

Best Answer

There is a post on Ubuntu forums about protecting entries by password, basically to make the recovery menuitems require you to login as superman with password 1234 you need to edit some very hairy config/script files:

Add to /etc/grub.d/00_header

cat << EOF
set superusers="superman"
password superman 1234
password bill 5678
EOF

Change /etc/grub.d/10_linux

From:

printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

To:

if ${recovery} ; then
   printf "menuentry '${title}' --users superman ${CLASS} {\n" "${os}" "${version}"
else
   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
fi

Perfecting protection is profoundly hard

Other things you need to do is to password protect your bios, disable booting from anything else than primary hard drive, and encrypt your root partition and mount any other partition as noexec. This still leaves lots of vectors.

Related Solutions

Ubuntu – Why there is no password to root under Recovery Mode

It's not a bug, it's a feature. Anyone with physical access to the machine can get your data and/ or modify it unless your partitions are encrypted.

Consider this case: you can boot a Live CD and be able to read and modify data without issues.

Another one: someone could open the case, take the disk out of it and plug it in another machine (USB dock, eSATA, etc.). Then it's again easy to read and modify the data.

If you want to disable creation of the recovery entry, edit /etc/default/grub, uncomment the GRUB_DISABLE_RECOVERY="true" line by removing the leading # character and run sudo update-grub. However, this does not make it impossible to boot into recovery mode since you can still edit the boot options by pressing E on an entry and add single to the kernel line.

The only way to protect against such an attack is by encrypting your whole disk using LUKS. I strongly recommend to do that especially for mobile devices such as a notebook. See How to truly secure a hard-drive?

Ubuntu – How to boot to the recovery mode if it is not listed in Grub

The instruction Remove existing kernel options from the linux line and add single refers to changing the line

linux /boot/vmlinuz-3.5.0-26-generic root=<uuid> ro ipv6.disable=1 quirt splash $vt_handoff

linux /boot/vmlinuz-3.5.0-26-generic root=<uuid> single

which will boot up and show a text-mode terminal with root permissions ("single-user mode") from which fixes can be made.

The Ubuntu recovery mode is entered by setting linux options thusly:

linux /boot/vmlinuz-3.5.0-26-generic root=<uuid> ro recovery nomodeset

This provides a menu which automates some common system fixes, or lets you access a root shell as the single option would.

Best Answer

Related Solutions

Ubuntu – Why there is no password to root under Recovery Mode

Ubuntu – How to boot to the recovery mode if it is not listed in Grub

Related Question