KrnlPanic's Linux Notes and Tips

Working with linux since kernel version 2.0.30

RHEL7 / Centos grub2 boot password

Grub2 is the kernel bootloader in Red Hat Linux. It is used to store kernel boot parameters and provides a mechanism to interact with the kernel boot command line. Any user who has local access to a Linux machine can attain root access by interrupting the bootloader and editing the kernel command line to enter single user mode. This gives the attacker root access to the system even if they are not authorized to have it!

In order to interrupt this behavior in the Grub bootloader, a password can be set by performing the following steps.

Create a password hash
# grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54

Copy the hash that’s generated and create an entry in the 40_custom config file

cd /etc/grub.d
vi 40_custom

Enter the following lines at the end of the file:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54

Now execute the command to create a new grub2 config file that includes the new password entry

grub2-mkconfig -o /etc/grub2.cnf

And finally, reboot your system, and when presented with the list of kernel boot optioms, press ‘e’ to edit, and you should be prompted for a username and password.