Setting a Grub password

I read the post: Grub password and login name not being prompted, but it’s autolocked - hence a new one. :slight_smile:

So, I tried to set the Grub pwd, following the guide at: System Startup - Documentation

Like in the other post, I didn’t get prompted at reboot.

The page says: “This command only supports configurations with a single root user.”, and I have root + my user. Maybe it’s that?

…or, there were differences in the output.

### From the guide
# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-f9725b0c842348ce9e0bc81968cf7181
Found initrd image: /boot/initramfs-0-rescue-f9725b0c842348ce9e0bc81968cf7181.img
done

### From my output
# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Any ideas?

// btw: The guide says: “Remove -unrestricted from …
when it should say --unrestricted. But, if I’m not wrong - a lot of web/blog tools are causing that, rendering -- into -.

No this wouldn’t be it.

I think the documentation may need some changes. grub2-mkconfig is unnecessary when adding a grub password using grub2-setpassword.

When you want protection in modifying and booting menu entries, you need to make one more change.

% grub2-editenv - set grub_users="root"

You can then verify that grub_users are in /boot/loader/entries/*.conf

1 Like

Aah, thank you! I’ll try that. :+1:

I ran cat on those /boot/loader/entries/*.conf now, and I noticed all the the grub_arg --unrestricted.

If I removed that, like the guide said, in:

# vim /etc/grub.d/10_linux
#CLASS="--class gnu-linux --class gnu --class os --unrestricted"
CLASS="--class gnu-linux --class gnu --class os"

So, shouldn’t they be gone?

Maybe I missed a step… I think I set the pwd 1st, then removed the --unrestricted. The guide says the other way around - thinking it doesn’t matter, and it’ll update everything when running grub2-mkconfig.

Worked fine, and after the Grub menu, when it starts the selected one - a login prompt showed up. :+1:

However, It still says…

# cat /boot/loader/entries/*.conf
…
grub_users $grub_users
grub_arg --unrestricted
…

Well, at least it works. :slight_smile:

Thank you! :+1:

The grub.cfg sources file user.cfg. That defines GRUB2_PASSWORD. That is where the grub2-setpassword should store the (hashed) password.
The grub.cfg sets superusers="root"

When password is set, both edit of entry and boot do require the password.
The effect of --unrestricted is that one can boot without password.

Note: The osprober does not add --unrestricted if it creates entry for Windows.

It is the grubby and/or kernel-install that adds

 grub_users $grub_users
 grub_arg --unrestricted

to the BLS entries.
In fact, the latter probably calls /usr/lib/kernel/install.d/20-grub.install which does:

    cat <<EOF
title ${NAME} (${kernelver}) ${VERSION}${debugname}
version ${kernelver}${debugid}
linux /vmlinuz-${kernelver}
initrd /initramfs-${kernelver}.img
options ${kernelopts}
grub_users \$grub_users
grub_arg --unrestricted
grub_class ${ID}
EOF

That seems hard-coded.

Cleaning up my notes, and thought I ask before I forget.


If I want to reverse this change later, ie. stepping it backwards…

What would be the correct user/parameter to use with grub2-editenv. Like:

% grub2-editenv - set grub_users="$grub_users"

# Or maybe if it's suppose to be hard coded
% grub2-editenv - set grub_users="\$grub_users"

Not that I plan to, but I want plan howto do it, in case I want/need to do it later.