1

It is my understanding that one can change a root password starting from the GRUB Menu on Fedora (and RHEL derivatives). Therefore I want to hide the GRUB Menu and if possible, will only show when I edit the GRUB file again (no keymaps if possible).

I have tried to edit the /etc/default/grub and ran grub-mkconfig -o /boot/grub2/grub.cfg but the GRUB Menu is still showing.

Improve this question
1
  • 1
    It would be helpful if you share with us the details you have tried to apply to your Grub configuration. By the way, not only RHEL and Fedora if affected by what you describe. If you are really scared that someone changes your root password, set a password in BIOS, don't allow booting from any device in BIOS but the HDD you want to boot, set a Grub password ( see here ) and encrypt your disk. Commented Sep 4, 2016 at 9:50

1 Answer 1

Reset to default
1

To hide the GRUB menu You need to have the following in /etc/default/grub

GRUB_HIDDEN_TIMEOUT=1 GRUB_HIDDEN_TIMEOUT_QUIET=true #GRUB_TIMEOUT=0

This will NOT prevent a user from using the bootloader to gain root access to your system as pressing ESC during boot will cause the menu to appear.

Bootloader security

Physical access provides a very large attack surface to secure. If you want to protect from the easy attacks you need to set a password on your BIOS, prevent booting from removable disks, password protect GRUB and put a physical lock on your computer case. Each of these is important and any of them can be bypassed easily unless you do all of them. Alternatively you can use full disk encryption that requires a password on boot (physical security is still important in this case though).

GRUB password protection

To password protect GRUB and prevent modifying boot settings (this prevents the specific attack you mentioned) you should do the following:

Run grub2-mkpasswd-pbkdf2 to generate a password hash.

Edit (or create) /etc/grub.d/01_users to look like the following:

#!/bin/sh -e cat <<EOF set superusers="someuseranme" password_pbkdf2 someusername ouput_from_grub2-mkpasswd-pbkdf2 EOF

At this point if you run grub2-mkconfig -o /boot/grub2/grub.cfg (or grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg on EFI systems) you will need to put in the username and password from above every boot. To allow booting the default menu entry without needing the password you can edit /etc/grub.d/10_linux and change the following line:

CLASS="--class gnu-linux --class gnu --class os"

To:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

After all this run grub2-mkconfig -o /boot/grub2/grub.cfg and reboot to test the changes.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.