SDB:Setting a Password for the Boot Manager GRUB

Şuraya atla: kullan, ara

Version: 8.1


How to set a password for the boot manager GRUB in order to block the interactive menu of GRUB and/or prevent certain operating systems from the selection list from being booted.


As the boot manager GRUB directly supports many file systems, the hard disk contents can be accessed during booting. For example, even files that Linux users without root permissions will not be able to access after the Linux system has started can be viewed at this stage (see SDB:The Boot Manager Grub)

Blocking the Interactive Functions Only (All Operating Systems Can Be Booted as Usual)

Using YaST2 is the easiest way to set up a password query. Start the YaST2 Control Center and enter the following menu:

  • System -->
  • Bootloader configuration
  • Modify current configuration

In this menu you can first determine where to install GRUB: in the Master Boot Record (MBR) of the first hard disk, on a floppy disk, in the boot sector of the boot partition or the root partition, or in another partition.

Press Next to proceed to the Globale Bootloader Properties dialog. Mark Use password for booting and enter the password twice.

Press Next to proceed to the configuration of the Sections table, which you can skip by pressing Next.

Select Save current configuration and press Finish in order to save the modifications to the hard disk. The execution of GRUB commands at the boot prompt is now protected. It will only be released after entering "p" and the password. However, all operating systems listed in the selection menu of the boot loader can still be booted by all users.

Locking Operating System Entries

Additionally, if you want to block the selection of individual entries in the boot menu, the file /boot/grub/menu.lst must be edited manually. Open this file in an ASCII editor of your choice (as root). The word title introduces the sections for booting the individual operating systems. Example:

title linux
   kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791
   initrd (hd0,4)/initrd
title windows
   root (hd0,0)
   chainloader +1
title floppy
   root (fd0)
   chainloader +1
title failsafe
   kernel (hd0,4)/vmlinuz.shipped root=/dev/hda7 ide=nodma apm=off acpi=off vga=normal nosmp maxcpus=0 3
   initrd (hd0,4)/initrd.shipped

If you want to prevent a certain entry from being booted by unauthorized individuals, insert the word lock under the respective section. Example:

title linux
   kernel (hd0,4)/vmlinuz root=/dev/hda7 vga=791
   initrd (hd0,4)/initrd

The changes will be adopted when the file is saved.
In this example, this Linux entry can only be booted if the password is entered. Following a reboot, if this entry is selected from the boot menu, the following message will appear:

Error 32: Must be authenticated

Press the Enter key to go to the menu in which you can enter the password by pressing p. The locked operating system entries can now be booted.

Inserting the Password Manually

If you do not want to use YaST2 to insert the password, proceed as follows: In order to encrypt the password for increased security, execute the command grub-md5-crypt in a shell (as root). You will be asked for the password. After the password is entered, it will be displayed in encrypted form:

linux:~ # grub-md5-crypt

Append this string to the global section of the file /boot/grub/menu.lst. The option that needs to be appended is password --md5. The section might look as follows:

gfxmenu (hd0,0)/message
color white/green black/light-gray
default 0
timeout 8
password --md5 $1$xmY1T/$wL6rbH2VC2L3ITFGiveLq.

The changes will be adopted when the file is saved.

SDB:The Boot Manager Grub

SDB:The Boot Loader Concept in SuSE Linux 8.1