Hi Max! On 02/13/2018 10:49 AM, Max Harmathy wrote:
The main reason why we have a patched version is to restrict the fallback options using a password provided by the administrators (see attachment). The fallback options basically provide the possibility to drop to a root shell, which is not what you want on client systems in a large enterprise environment.
I'm pretty sure it also works with the default GRUB package.
There is a way to set a password in the Ubuntu package. I haven't looked up in which way that mechanism comes from upstream grub or is added by debian/ubuntu. Anyway it lets you set a password for all the entries or for none. Thus we use the debian debconf mechanism to set a password for the fallback options only.
No, that's not what the password mechanism does, at least not the one in the Debian package - I'm not sure whether this was patched in Debian since I didn't check - but I am very confident that the password protection in GRUB2 does exactly that: It allows booting the default entry but not anything else. We've been using it here at the physics department at FU Berlin (I'm the SUSE guy you met who has his office here).
We very much appreciate the proposal for adding a simple configuration interface as presented at FOSDEM. Please keep our use case in mind while developing. I guess every desktop distribution would benefit from it, since most of them have such fallback options.
Did you actually try setting a password without patch GRUB2? We just added the following to /etc/grub.d/40_custom: #!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. #Password Protection set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.<password hash> Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
