Description of Problem: The installer does not set a GRUB password to protect unauthorized users from accessing command-line mode. This is a problem because arbitrary files on the filesystem can be viewed from GRUB's command line with the 'cat' command. This doesn't just expose /etc/shadow, this exposes files that may contain clear-text passwords (example: /etc/ldap.secret). Steps to Reproduce: Given: System using GRUB as a bootloader, no password set, and / is on /dev/hda2 (hd0,1). /etc/shadow is standing in for some arbitrary file. Boot the system, type <c> to get to the grub> prompt. grub> cat (hd0,1)/etc/shadow Actual Results: /etc/shadow is displayed Additional Information: Setting a GRUB password still allows users to boot any predefined title entries without the password; it only locks out menu-editing and CLI mode. Users should be given the option at install time to set a GRUB password. GRUB supports standard MD5 passwords. I see some possible ways to fix this here: * A check box to set the GRUB password to the install-time root password, in the installer's bootloader selection screen. * A text box in the bootloader selection screen to allow users to set an arbitrary GRUB password at install time.
We'll look at addressing this before beta 2.
You now have the option to set a grub password in gui, tui, and kickstart