19.1 Authentication and authorisation in GRUB

By default, the boot loader interface is accessible to anyone with physical access to the console: anyone can select and edit any menu entry, and anyone can get direct access to a GRUB shell prompt. For most systems, this is reasonable since anyone with direct physical access has a variety of other ways to gain full access, and requiring authentication at the boot loader level would only serve to make it difficult to recover broken systems.

However, in some environments, such as kiosks, it may be appropriate to lock down the boot loader to require authentication before performing certain operations.

The ‘password’ (see password) and ‘password_pbkdf2’ (see password_pbkdf2) commands can be used to define users, each of which has an associated password. ‘password’ sets the password in plain text, requiring grub.cfg to be secure; ‘password_pbkdf2’ sets the password hashed using the Password-Based Key Derivation Function (RFC 2898), requiring the use of grub-mkpasswd-pbkdf2 (see Invoking grub-mkpasswd-pbkdf2) to generate password hashes.

In order to enable authentication support, the ‘superusers’ environment variable must be set to a list of usernames, separated by any of spaces, commas, semicolons, pipes, or ampersands. Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry. If ‘superusers’ is set, then use of the command line and editing of menu entries are automatically restricted to superusers. Setting ‘superusers’ to empty string effectively disables both access to CLI and editing of menu entries. Note: The environment variable needs to be exported to also affect the section defined by the ‘submenu’ command (see submenu).

Other users may be allowed to execute specific menu entries by giving a list of usernames (as above) using the --users option to the ‘menuentry’ command (see menuentry). If the --unrestricted option is used for a menu entry, then that entry is unrestricted. If the --users option is not used for a menu entry, then that only superusers are able to use it.

Putting this together, a typical grub.cfg fragment might look like this:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure

menuentry "May be run by any user" --unrestricted {
	set root=(hd0,1)
	linux /vmlinuz
}

menuentry "Superusers only" --users "" {
	set root=(hd0,1)
	linux /vmlinuz single
}

menuentry "May be run by user1 or a superuser" --users user1 {
	set root=(hd0,2)
	chainloader +1
}

The grub-mkconfig program does not yet have built-in support for generating configuration files with authentication. You can use /etc/grub.d/40_custom to add simple superuser authentication, by adding set superusers= and password or password_pbkdf2 commands.