Who should worry about locking down the BootLoader? Everybody!!! Some home users might say that this is not necessary in a home computer environment unless you're of a paranoid nature, but what happens if someone steals your computer? How much data do you feel is sensitive on it? Another future article I am planning is password recovery through application mining. Even if you feel this is unecessary at home, you definately want to follow these steps for a mission critical server environment.

Difference between grub password and grub lock:

This is being added on August 17, 2004 after several emails were received. I realized I never explained what the password protects and why the password and lock should both be required.

You may also refer to this web page for more information about Grub security.

The grub password simply keeps users from accessing the grub command interface without supplying the correct password. Allowing users to access the command interface would also allow them to run commands on the system, such as cat /etc/passwd which would allow them to access sensitive account information before the system ever boots.

The grub lock command on the other hand, will keep users from running specific menu entries, i.e. you don't want users to be able to boot into Windows or some other test environment.

Grub:

To add an encrypted password to your Grub configuration, first obtain the MD5 of your password, run the Grub shell as the root user (eg: /sbin/grub) and execute:

grub> md5crypt

Enter your password and then cut and paste the encrypted string (it will begin with "$1$") to the end of the password --md5 line in the /boot/grub/menu.lst file. For example:

default=0
timeout=0
password --md5 $1$YYO5V0$8yLLVTxttR9./wuE0S4/q.
title RHPSecure
root (hd0,6)
kernel (hd0,6)/boot/vmlinuz ro root=/dev/hda
initrd /boot/initrd.img

Lock Grub:

GRUB provides the lock command. Booting will fail until you enter the valid password. You should insert lock right after the title entry in the /boot/grub/menu.lst file because any user can execute commands until GRUB encounters lock.

default=0
timeout=0
password --md5 $1$YYO5V0$8yLLVTxttR9./wuE0S4/q.
title RHPSecure
lock
root (hd0,6)
kernel (hd0,6)/boot/vmlinuz ro root=/dev/hda
initrd /boot/initrd.img

Lilo:

In /etc/lilo.conf, add the last two lines from this example below (the first line starts with password and the second line is simply restricted):

image=/boot/vmlinuz
label="RHPSecure"
root=/dev/hda6
initrd=/boot/initrd.img
read-only
password="YourPasswordGoesHere"
restricted

Exit, and run "/sbin/lilo". If someone tries to pass an option like single they'll need the password. Next, make the lilo.conf file read-writeable by root only: chmod 600 /etc/lilo.conf

Be aware that setting a Lilo password will merely slow down a determined attacker. It won't prevent someone booting from a linux mini/cd distribution and mounting your root partition.

The only way to get around this would be to disable booting from all removable media such as floppy, cdrom, or zip drives in your computer's BIOS, then password protect the BIOS. Would you then feel secure? You shouldn't, because all the attacker now needs to do is remove the case cover, remove the cmos battery, and that just reset your bios password....but what you may have done by setting the password is not made your computer such an easy catch....your attacker may have just moved on to easier pray once they realized all the trouble it was going to take to get into the system