Red Hat Bugzilla – Bug 1288108
SysAdminGuide: grub2 password protection section should be updated
Last modified: 2016-11-08 07:40:55 EST
Section Number and Name:
24.6. GRUB 2 Password Protection
Describe the issue:
I think there are few issues:
- Document mentions that 01_users should be created if it wasn't during system installation. It should also mention that the file needs to be made executable to actually get used during grub2-mkconfig. Similarly, it should suggest safe permissions (e.g. 700) to avoid having password in a world-readable file.
- Well, the above is no longer relevant on 7.2, as 01_users is now packaged and I do not think it's expected to have username / passwords defined in it directly any more.
Instead, the document should mention grub2-setpassword, which was added in 7.2 (see bug 985962), as the default 01_users now has commands to read password from /boot/grub2/user.cfg generated by that command.
- Document describes how to create custom password protected boot menu entries in 40_custom. However, it's probably not what most users care about or want to do. I think the document should explicitly describe impact the creation of superuser has on the default entries generated by the 10_linux (i.e. with superuser defined, it's no longer possible to edit boot command line without providing password, but any boot meny entry can be selected, as all entries generated by 10_linux have --unrestricted). The following kbase describes how to make grub2 require password during boot: