Disable grub boot menu parameters editing while booting
Need some help. I have tried googling a lot but didn't find any solution. Normally while booting we can edit the boot parameters of grub. Using this we can login to machine as root without entering root password. below is a screenshot of example of this.
So, I don't want grub to let anyone edit these parameters. I want to disable the editing completely. I know if I lost my root password , i can forget the system but still, i want to disable the editing of parameters. my grub version is 2.02+dfsg1-6kali1. You know how we can achieve this?
kali-linux grub2
asked Feb 13 at 9:20
RaJRaJ
1014
add a comment |
Need some help. I have tried googling a lot but didn't find any solution. Normally while booting we can edit the boot parameters of grub. Using this we can login to machine as root without entering root password. below is a screenshot of example of this.
So, I don't want grub to let anyone edit these parameters. I want to disable the editing completely. I know if I lost my root password , i can forget the system but still, i want to disable the editing of parameters. my grub version is 2.02+dfsg1-6kali1. You know how we can achieve this?
kali-linux grub2
asked Feb 13 at 9:20
RaJRaJ
1014
add a comment |
Need some help. I have tried googling a lot but didn't find any solution. Normally while booting we can edit the boot parameters of grub. Using this we can login to machine as root without entering root password. below is a screenshot of example of this.
So, I don't want grub to let anyone edit these parameters. I want to disable the editing completely. I know if I lost my root password , i can forget the system but still, i want to disable the editing of parameters. my grub version is 2.02+dfsg1-6kali1. You know how we can achieve this?
kali-linux grub2
asked Feb 13 at 9:20
RaJRaJ
1014
Need some help. I have tried googling a lot but didn't find any solution. Normally while booting we can edit the boot parameters of grub. Using this we can login to machine as root without entering root password. below is a screenshot of example of this.
So, I don't want grub to let anyone edit these parameters. I want to disable the editing completely. I know if I lost my root password , i can forget the system but still, i want to disable the editing of parameters. my grub version is 2.02+dfsg1-6kali1. You know how we can achieve this?
kali-linux grub2
kali-linux grub2
asked Feb 13 at 9:20
RaJRaJ
1014
asked Feb 13 at 9:20
RaJRaJ
1014
asked Feb 13 at 9:20
RaJRaJ
1014
asked Feb 13 at 9:20
RaJRaJ
1014
asked Feb 13 at 9:20
RaJRaJ
1014
1014
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I suspect you are asking the wrong question.
If you manage to disable GRUB2 command line editing, you also need to modify your PC's firmware (BIOS/UEFI) to not allow booting etc. from a USB stick. In addition to that, you need a self-encrypting drive (or someone could just put it into another PC) or at least something like encrypted LVs.
There is an old rule: Physical access equals complete compromise modulo time
My recommendation for a secure device is to understand, where the security boundaries are: The boot process? The OS installation? Your personal data?
On my laptop I use an encrypted home directory and an additional encrypted partition, everything important is stored there and linked or bind-mounted to where it belongs.
EDIT
Even if I consider it security theater (a.o.t. real security), here is how to set up GRUB2 editing passwords:
In the GRUB conf headers:
set superusers="usera"
password usera passwordA
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
|
show 2 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1405178%2fdisable-grub-boot-menu-parameters-editing-while-booting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I suspect you are asking the wrong question.
If you manage to disable GRUB2 command line editing, you also need to modify your PC's firmware (BIOS/UEFI) to not allow booting etc. from a USB stick. In addition to that, you need a self-encrypting drive (or someone could just put it into another PC) or at least something like encrypted LVs.
There is an old rule: Physical access equals complete compromise modulo time
My recommendation for a secure device is to understand, where the security boundaries are: The boot process? The OS installation? Your personal data?
On my laptop I use an encrypted home directory and an additional encrypted partition, everything important is stored there and linked or bind-mounted to where it belongs.
EDIT
Even if I consider it security theater (a.o.t. real security), here is how to set up GRUB2 editing passwords:
In the GRUB conf headers:
set superusers="usera"
password usera passwordA
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
|
show 2 more comments
I suspect you are asking the wrong question.
If you manage to disable GRUB2 command line editing, you also need to modify your PC's firmware (BIOS/UEFI) to not allow booting etc. from a USB stick. In addition to that, you need a self-encrypting drive (or someone could just put it into another PC) or at least something like encrypted LVs.
There is an old rule: Physical access equals complete compromise modulo time
My recommendation for a secure device is to understand, where the security boundaries are: The boot process? The OS installation? Your personal data?
On my laptop I use an encrypted home directory and an additional encrypted partition, everything important is stored there and linked or bind-mounted to where it belongs.
EDIT
Even if I consider it security theater (a.o.t. real security), here is how to set up GRUB2 editing passwords:
In the GRUB conf headers:
set superusers="usera"
password usera passwordA
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
|
show 2 more comments
I suspect you are asking the wrong question.
If you manage to disable GRUB2 command line editing, you also need to modify your PC's firmware (BIOS/UEFI) to not allow booting etc. from a USB stick. In addition to that, you need a self-encrypting drive (or someone could just put it into another PC) or at least something like encrypted LVs.
There is an old rule: Physical access equals complete compromise modulo time
My recommendation for a secure device is to understand, where the security boundaries are: The boot process? The OS installation? Your personal data?
On my laptop I use an encrypted home directory and an additional encrypted partition, everything important is stored there and linked or bind-mounted to where it belongs.
EDIT
Even if I consider it security theater (a.o.t. real security), here is how to set up GRUB2 editing passwords:
In the GRUB conf headers:
set superusers="usera"
password usera passwordA
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
I suspect you are asking the wrong question.
If you manage to disable GRUB2 command line editing, you also need to modify your PC's firmware (BIOS/UEFI) to not allow booting etc. from a USB stick. In addition to that, you need a self-encrypting drive (or someone could just put it into another PC) or at least something like encrypted LVs.
There is an old rule: Physical access equals complete compromise modulo time
My recommendation for a secure device is to understand, where the security boundaries are: The boot process? The OS installation? Your personal data?
On my laptop I use an encrypted home directory and an additional encrypted partition, everything important is stored there and linked or bind-mounted to where it belongs.
EDIT
Even if I consider it security theater (a.o.t. real security), here is how to set up GRUB2 editing passwords:
In the GRUB conf headers:
set superusers="usera"
password usera passwordA
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
edited Feb 13 at 10:08
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
answered Feb 13 at 9:29
Eugen RieckEugen Rieck
11.1k22429
11.1k22429
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
|
show 2 more comments
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
I got your point. USB booting is already disabled. you said "If you manage to disable GRUB2 command line editing..." is it possible? How can it be done?
– RaJ
Feb 13 at 9:51
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
What did you do about CMOS reset (to clear the USB boot issue), CDROM-boot, and attaching the drive to a different computer?
– Eugen Rieck
Feb 13 at 10:01
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
Edited my answer
– Eugen Rieck
Feb 13 at 10:08
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
I know there are other ways to compromise but , lets just focus on disabling GRUB2 command line editing. i just want to know if it is possible. if possible then how?
– RaJ
Feb 13 at 10:10
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
As I edited into my answer, you just set up a password for superuser stuff such as editing. Be advised, that this gives you no security benefit at all.
– Eugen Rieck
Feb 13 at 11:05
|
show 2 more comments
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1405178%2fdisable-grub-boot-menu-parameters-editing-while-booting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
