On Fri 18 Mar 2016 at 18:59:39 (+0530), Raj Kiran Grandhi wrote:
> > > But, be advised that once you do this, all the menu entries in grub will
> > be
> > > inaccessible until the password is supplied.
> > > It would be nice to have a way of requiring a password only if it
> > required
> > > to boot a non-default entry.
> >
> > That's what
> > menuentry "May be run by any user" --unrestricted {
> > is for. The documentation example runs thus:
> >
> >
> Yes, I had read through that. But that would mean editing
> /boot/grub/grub.cfg manually and losing the changes every time grub-update
> is run. What I could not figure out was to having the --unrestricted be
> appended automatically for the default entry (In my case, GRUB_DEFAULT=0
> which boots the default kernel) every time grub-update was run.
You've just appended
set superusers=...
password ...
to the end of /etc/grub.d/40_custom so carry on typing and add your
unrestricted/default entry right there:
set superusers=...
password ...
menuentry "May be run by any user" --unrestricted { ...
...
Obviously change "May be run by any user" into a more convenient and
obvious string like "normal" and give that name to grub-set-default so
that it gets written into the /boot/grub/grubenv file. (Check that.)
I'm assuming you've got GRUB_DEFAULT=saved in your /etc/default/grub
file (and that you refuse any automatic updating of that file).
Cheers,
David.
