Preventing kernel parameter edits on Ubuntu

Ubuntu doesn't have that cool utility that Red Hat and CentOS have, so you'll have to set a GRUB 2 password by hand-editing a configuration file.

In the /etc/grub.d/ directory, you'll see the files that make up the GRUB 2 configuration:

donnie@ubuntu3:/etc/grub.d$ ls -l
total 76
-rwxr-xr-x 1 root root  9791 Oct 12 16:48 00_header
-rwxr-xr-x 1 root root  6258 Mar 15  2016 05_debian_theme
-rwxr-xr-x 1 root root 12512 Oct 12 16:48 10_linux
-rwxr-xr-x 1 root root 11082 Oct 12 16:48 20_linux_xen
-rwxr-xr-x 1 root root 11692 Oct 12 16:48 30_os-prober
-rwxr-xr-x 1 root root  1418 Oct 12 16:48 30_uefi-firmware
-rwxr-xr-x 1 root root   214 Oct 12 16:48 40_custom
-rwxr-xr-x 1 root root   216 Oct 12 16:48 41_custom
-rw-r--r-- 1 root root   483 Oct 12 16:48 README
donnie@ubuntu3:/etc/grub.d$

The file you want to edit is the 40_custom file. However, before you edit the file, you'll need to create the password hash. Do that with the grub-mkpasswd-pbkdf2 utility:

donnie@ubuntu3:/etc/grub.d$ grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F1BA16B2799CBF6A6DFBA537D43222A0D5006124ECFEB29F5C81C9769C6C3A66BF53C2B3AB71BEA784D4386E86C991F7B5D33CB6C29EB6AA12C8D11E0FFA0D40.371648A84CC4131C3CFFB53604ECCBA46DA75AF196E970C98483385B0BE026590C63A1BAC23691517BC4A5D3EDF89D026B599A0D3C49F2FB666F9C12B56DB35D
donnie@ubuntu3:/etc/grub.d$

Open the 40_custom file in your favorite editor and add a line that defines who the superuser(s) will be. Add another line for the password hash. In my case, the file now looks like this:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.

set superusers="donnie"

password_pbkdf2 donnie grub.pbkdf2.sha512.10000.F1BA16B2799CBF6A6DFBA537D43222A0D5006124ECFEB29F5C81C9769C6C3A66BF53C2B3AB71BEA784D4386E86C991F7B5D33CB6C29EB6AA12C8D11E0FFA0D40.371648A84CC4131C3CFFB53604ECCBA46DA75AF196E970C98483385B0BE026590C63A1BAC23691517BC4A5D3EDF89D026B599A0D3C49F2FB666F9C12B56DB35D


The string of text that begins with password_pbkdf2 is all one line that wraps around on the printed page.

After you save the file, the last step is to generate a new grub.cfg file:

donnie@ubuntu3:/etc/grub.d$ sudo update-grub

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.4.0-104-generic
Found initrd image: /boot/initrd.img-4.4.0-104-generic
Found linux image: /boot/vmlinuz-4.4.0-101-generic
Found initrd image: /boot/initrd.img-4.4.0-101-generic
Found linux image: /boot/vmlinuz-4.4.0-98-generic
Found initrd image: /boot/initrd.img-4.4.0-98-generic
done
donnie@ubuntu3:/etc/grub.d$

Now, when I reboot this machine, I have to enter my password before editing the kernel parameters:

There's only one problem with this. Not only does this prevent anyone except the superuser from editing the kernel parameters, but it also prevents anyone except for the superuser from booting normally. Yes, that's right. Even for normal booting, Ubuntu will now require you to enter the username and password of the authorized superuser. The fix is easy, although not at all elegant.

The fix requires inserting a single word into the /boot/grub/grub.cfg file. Easy enough, right? However, it's not an elegant solution because you're not really supposed to hand-edit the grub.cfg file. At the top of the file, we can see this:

# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

This means that every time we do something that will update the grub.cfg file, any hand-edits that we've made to the file will be lost. This includes when we do a system update that installs a new kernel, or when we do a sudo apt autoremove that removes any old kernels that we no longer need. The supreme irony, though, is that the official GRUB 2 documentation tells us to hand-edit the grub.cfg file to deal with these sorts of problems.

Anyway, to fix things so that you no longer need to enter the password to boot normally, open the /boot/grub/grub.cfg file in your favorite text editor. Look for the first line that begins with menuentry, which should look something like this:

menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-f0f002e8-16b2-45a1-bebc-41e518ab9497' {

Before the opening curly brace at the end of the line, add --unrestricted as a text string. The menuentry should now look like this:

menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-f0f002e8-16b2-45a1-bebc-41e518ab9497' --unrestricted {

Save the file and test it by rebooting the machine. You should see that the machine now boots up normally on the default boot option. However, you'll also see that a password will still be required to access the Advanced options for Ubuntu submenu. We'll fix this in just a bit.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.131.178