Product SiteDocumentation Site

21.6. GRUB 2 Password Protection

GRUB 2 supports both plain-text and encrypted passwords in the GRUB 2 template files. To enable the use of passwords, specify a superuser who can reach the protected entries. Other users can be specified to access these entries as well. Menu entries can be password-protected for booting by adding one or more users to the menu entry as described in Section 21.6.1, “Setting Up Users and Password Protection, Specifying Menu Entries”. To use encrypted passwords, see Section 21.6.2, “Password Encryption”.

Warning

If you do not use the correct format for the menu, or modify the configuration in an incorrect way, you might be unable to boot your system.
All menu entries can be password-protected against changes by setting superusers, which can be done in the /etc/grub.d/00_header or the /etc/grub.d/01_users file. The 00_header file is very complicated and, if possible, avoid making modifications in this file. Menu entries should be placed in the /etc/grub.d/40_custom and users in the /etc/grub.d/01_users file. The 01_users file is generated by the installation application anaconda when a grub boot loader password is used in a kickstart template (but it should be created and used it if it does not exist). Examples in this section adopt this policy.

21.6.1. Setting Up Users and Password Protection, Specifying Menu Entries

  1. To specify a superuser, add the following lines in the /etc/grub.d/01_users file, where john is the name of the user designated as the superuser, and johnspassword is the superuser's password:
    cat <<EOF
    set superusers="john"
    password john johnspassword
    EOF
  2. To allow other users to access the menu entries, add additional lines per user at the end of the /etc/grub.d/01_users file.
    cat <<EOF
    set superusers="john"
    password john johnspassword
    password jane janespassword
    EOF
  3. When the users and passwords are set up, specify the menu entries that should be password-protected in the /etc/grub.d/40_custom file in a similar fashion to the following:
    menuentry 'Red Hat Enterprise Linux Server' --unrestricted {
    set root=(hd0,msdos1)
    linux   /vmlinuz
    }
    
    menuentry 'Fedora' --users jane {
    set root=(hd0,msdos2)
    linux   /vmlinuz
    }
    
    menuentry 'Red Hat Enterprise Linux Workstation' {
    set root=(hd0,msdos3)
    linux   /vmlinuz
    }
In the above example:
  • john is the superuser and can therefore boot any menu entry, use the GRUB 2 command line, and edit items of the GRUB 2 menu during boot. In this case, john can access both Red Hat Enterprise Linux Server, Fedora, and Red Hat Enterprise Linux Workstation. Note that only john can access Red Hat Enterprise Linux Workstation because neither the --users nor --unrestricted options have been used.
  • User jane can boot Fedora since she was granted the permission in the configuration.
  • Anyone can boot Red Hat Enterprise Linux Server, because of the --unrestricted option, but only john can edit the menu entry as a superuser has been defined. When a superuser is defined then all records are protected against unauthorized changes and all records are protected for booting if they do not have the --unrestricted parameter
If you do not specify a user for a menu entry, or make use of the --unrestricted option, then only the superuser will have access to the system.
After you have made changes in the template file the GRUB 2 configuration file must be updated.
Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:
  • On BIOS-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg