[gentoo-user] grub passwords - how do I limit OS selection?

[gentoo-user] grub passwords - how do I limit OS selection?

[Mark Knecht]

Hi,
   I would like to limit OS selection at boot time. The machine has
Gentoo and Windows. Gentoo *must* be the booted OS unless a password
is entered. I have tried the password feature in grub but it does not
implement this feature. It implements changing boot time kernel
options, but not OS choice as far as I can tell.

   I also tried adding the hiddenmenu option in grub but it seems that
with hiddenmenu turned on grub never accepts a password.

   Is there a way to implement what I need? If you can provide an
example that would be great.

NOTE: I currently do this be editing the grub file itself but I'm
looking for something more sophisticated since I'd like my wife to be
able to boot Windows but not my son.

Thanks all,
Mark
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Knecht wrote:
> NOTE: I currently do this be editing the grub file itself but I'm
> looking for something more sophisticated since I'd like my wife to be
> able to boot Windows but not my son.

Have windows users, then. Let your son boot it, but not use it.

- --
Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica - http://www.buanzo.com.ar
Genetic - A multiplatform Gentoo Portage Frontend - http://genetic.sourceforge.net
for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEzM6fAlpOsGhXcE0RAlenAJwOrJIZELZ5LsXsG6ZFJ66ZwAKv4gCffdMW
KsZLVSipyMcF+Oo6B/QJwoU=
=x5KS
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Mark Knecht]

On 7/30/06, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Knecht wrote:
> > NOTE: I currently do this be editing the grub file itself but I'm
> > looking for something more sophisticated since I'd like my wife to be
> > able to boot Windows but not my son.
>
> Have windows users, then. Let your son boot it, but not use it.
>
>

Arturo,
   Hi. Thanks for the response. Not an acceptable strategy. My son is
a Windows user for playing games. I do not want him using Windows when
he chooses since the gaming gets in the way of school, as it should
for any healthy 14 year old boy. ;-)

   What I really want is when the machine turns on he gets Linux
unless myself or my wife grants him access to Windows.

Thanks,
Mark
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Rumen Yotov]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

Mark Knecht wrote:
> On 7/30/06, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Mark Knecht wrote:
>> > NOTE: I currently do this be editing the grub file itself but I'm
>> > looking for something more sophisticated since I'd like my wife to be
>> > able to boot Windows but not my son.
>>
>> Have windows users, then. Let your son boot it, but not use it.
>>
>>
> 
> Arturo,
>   Hi. Thanks for the response. Not an acceptable strategy. My son is
> a Windows user for playing games. I do not want him using Windows when
> he chooses since the gaming gets in the way of school, as it should
> for any healthy 14 year old boy. ;-)
> 
>   What I really want is when the machine turns on he gets Linux
> unless myself or my wife grants him access to Windows.
> 
> Thanks,
> Mark
Hi Mark,
Check the official gentoo security guide (docs section).
...
2.b. Password protecting GRUB

GRUB supports two different ways of adding password protection to your
boot loader. The first uses plain text, while the latter uses md5+salt
encryption.
...
Haven't used it though.
HTH.Rumen

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3493 bytes --]

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Jesús Guerrero]

El Domingo, 30 de Julio de 2006 16:09, Mark Knecht escribió:
> Hi,
>    I would like to limit OS selection at boot time. The machine has
> Gentoo and Windows. Gentoo *must* be the booted OS unless a password
> is entered. I have tried the password feature in grub but it does not
> implement this feature. It implements changing boot time kernel
> options, but not OS choice as far as I can tell.
>
>    I also tried adding the hiddenmenu option in grub but it seems that
> with hiddenmenu turned on grub never accepts a password.
>
>    Is there a way to implement what I need? If you can provide an
> example that would be great.
>
> NOTE: I currently do this be editing the grub file itself but I'm
> looking for something more sophisticated since I'd like my wife to be
> able to boot Windows but not my son.
>
> Thanks all,
> Mark

Grub cant do that.

It can protect with passwords the menu entries, to prevent anyone from editing 
them (to boot with an alternate kernel, from another root, in any other 
runlevel or stuff like that). But it cant protect -as far as I can tell- the 
entries one by one.

You want to be able to boot into linux at any given momment, and grub to ask 
you for a password if you hit enter when the Windows entry is selected. If 
that affirmation is correct, then grub cant do that for what I can tell.

I use md5 pass in grub, but it just prevent someone from editing the grub 
stuff and using a different root or kernel line to boot from.

You best bet is to use WinXp, 2k, or any other version of windows that can be 
hardened a bit. Just put a password in all the windows accounts, and do not 
give any password to your son. This way, you son will be able to see the 
Winxp login screen, but he will not be able to enter without a password.

If your son is smart enough, anyway, the passwords are nothing (he can always 
boot from the linux partition, locate the keys, and decipher them with jack 
or something similar, nt passwords are not hard to beat, and a fast search in 
the net will reveal all that you need to know to do so). So, in which regards 
children, the best bet is to cut the physicall access to the box.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 1184 bytes --]

On Sun, Jul 30, 2006 at 07:09:41AM -0700, Mark Knecht wrote:
> Hi,
>   I would like to limit OS selection at boot time. The machine has
> Gentoo and Windows. Gentoo *must* be the booted OS unless a password
> is entered. I have tried the password feature in grub but it does not
> implement this feature. It implements changing boot time kernel
> options, but not OS choice as far as I can tell.
> 
>   I also tried adding the hiddenmenu option in grub but it seems that
> with hiddenmenu turned on grub never accepts a password.
> 
>   Is there a way to implement what I need? If you can provide an
> example that would be great.
> 
> NOTE: I currently do this be editing the grub file itself but I'm
> looking for something more sophisticated since I'd like my wife to be
> able to boot Windows but not my son.
> 
> Thanks all,
> Mark

Mark,

Unless I'm reading your needs wrong, I think you need the "lock" command
as well as the "password" command.

http://www.gnu.org/software/grub/manual/grub.html#password
http://www.gnu.org/software/grub/manual/grub.html#lock

HTH,
festus
-- 
Ambition is a poor excuse for not having enough sense to be lazy.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

On Sun, Jul 30, 2006 at 04:59:34PM -0400, John J. Foster wrote:
> On Sun, Jul 30, 2006 at 07:09:41AM -0700, Mark Knecht wrote:
> > Hi,
> >   I would like to limit OS selection at boot time. The machine has
> > Gentoo and Windows. Gentoo *must* be the booted OS unless a password
> > is entered. I have tried the password feature in grub but it does not
> > implement this feature. It implements changing boot time kernel
> > options, but not OS choice as far as I can tell.
> > 
> >   I also tried adding the hiddenmenu option in grub but it seems that
> > with hiddenmenu turned on grub never accepts a password.
> > 
> >   Is there a way to implement what I need? If you can provide an
> > example that would be great.
> > 
> > NOTE: I currently do this be editing the grub file itself but I'm
> > looking for something more sophisticated since I'd like my wife to be
> > able to boot Windows but not my son.
> > 
> > Thanks all,
> > Mark
> 
> Mark,
> 
> Unless I'm reading your needs wrong, I think you need the "lock" command
> as well as the "password" command.
> 
> http://www.gnu.org/software/grub/manual/grub.html#password
> http://www.gnu.org/software/grub/manual/grub.html#lock
oops - forgot one
http://www.gnu.org/software/grub/manual/grub.html#Security
-- 
Ambition is a poor excuse for not having enough sense to be lazy.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Ryan Tandy]

Mark Knecht wrote:
> My son is
> a Windows user for playing games. I do not want him using Windows when
> he chooses since the gaming gets in the way of school, as it should
> for any healthy 14 year old boy. ;-)

If you're using an NT-based version of windows (NT4, 2000, XP, or one of 
those fancy Vista previews), you can use the Administrator account (or 
any user with admin rights, e.g. your wife) to disable your son's 
account when he isn't allowed to be gaming.  Or, change his password to 
something of your choice, and type it in for him when he is allowed to 
play, same as you would at the GRUB prompt.

And if you're using a Windows <NT4, I hope for your sake it doesn't have 
network drivers installed. :)

>   What I really want is when the machine turns on he gets Linux
> unless myself or my wife grants him access to Windows.

How's your C? ;)

HTH.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Mark Knecht]

On 7/30/06, Rumen Yotov <rumen@qrypto.org> wrote:
> Hi Mark,
> Check the official gentoo security guide (docs section).
> ...
> 2.b. Password protecting GRUB
>
> GRUB supports two different ways of adding password protection to your
> boot loader. The first uses plain text, while the latter uses md5+salt
> encryption.
> ...
> Haven't used it though.
> HTH.Rumen

Rumen,
   Thanks, but they are just two versions of what I've already tried.
That password protection, as shown in the Gentoo Security Guide, only
password protects changing the way you boot each option. As shown in
the guide it does not protect which version you are allowed to boot.

Cheers,
Mark
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Mark Knecht]

On 7/30/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> On Sun, Jul 30, 2006 at 07:09:41AM -0700, Mark Knecht wrote:
> > Hi,
> >   I would like to limit OS selection at boot time.
<SNIP>
>
> Mark,
>
> Unless I'm reading your needs wrong, I think you need the "lock" command
> as well as the "password" command.
>
> http://www.gnu.org/software/grub/manual/grub.html#password
> http://www.gnu.org/software/grub/manual/grub.html#lock
>
> HTH,
> festus

Festus,
   Thanks very much. It's a great solution for what I need.

   It does limit the use of Windows, which is what I wanted, until the
password is typed in. Once typed in it also seems to allow changing
the boot time options on Linux, but in my son's case I'm not the least
bit worried he's going to try anything there.

   Again, thanks very much for supplying a great solution.

Cheers,
Mark
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 895 bytes --]

On Sun, Jul 30, 2006 at 04:49:42PM -0700, Mark Knecht wrote:
> On 7/30/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
>   Thanks very much. It's a great solution for what I need.
> 
>   It does limit the use of Windows, which is what I wanted, until the
> password is typed in. Once typed in it also seems to allow changing
> the boot time options on Linux, but in my son's case I'm not the least
> bit worried he's going to try anything there.
> 
Mark - from 

http://www.gnu.org/software/grub/manual/grub.html#Security

You can also use the command password instead of lock. In this case the
boot process will ask for the password and stop if it was entered
incorrectly. Since the password takes its own PASSWORD argument this is
useful if you want different passwords for different entries.

-- 
Ambition is a poor excuse for not having enough sense to be lazy.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] grub passwords - how do I limit OS selection?

[Mark Knecht]

On 7/30/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> On Sun, Jul 30, 2006 at 04:49:42PM -0700, Mark Knecht wrote:
> > On 7/30/06, John J. Foster <Gentoo-User@festus.150ml.com> wrote:
> >   Thanks very much. It's a great solution for what I need.
> >
> >   It does limit the use of Windows, which is what I wanted, until the
> > password is typed in. Once typed in it also seems to allow changing
> > the boot time options on Linux, but in my son's case I'm not the least
> > bit worried he's going to try anything there.
> >
> Mark - from
>
> http://www.gnu.org/software/grub/manual/grub.html#Security
>
> You can also use the command password instead of lock. In this case the
> boot process will ask for the password and stop if it was entered
> incorrectly. Since the password takes its own PASSWORD argument this is
> useful if you want different passwords for different entries.
>

Festus,
   Thanks. Even better!

Cheers,
Mark
-- 
gentoo-user@gentoo.org mailing list