mxgrub: Restrict entry editing and command line prompt

Remove `--unrestricted` from the Linux boot entries, as that allows to edit the entries. Allowing unrestricted access to a submenu allows unprivileged users to enter the command-line interface by pressing the key *c*. So, restrict the access. As a result, only the default Linux kernel can be started without entering credentials. [1]: https://www.gnu.org/software/grub/manual/grub/grub.html#Security [2]: https://philosophos.github.io/articles/20170304~Password-Protection-of-GRUB-Menu/
mariux64 · Nov 29, 2019 · 0fff9e7 · 0fff9e7
1 parent 5d425a9
commit 0fff9e7
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/mxgrub/mxgrub b/mxgrub/mxgrub
@@ -249,7 +249,7 @@ sub update_grub_cfg {
 
 	for my $label (@MARIUX) {
 		my $image=label_to_image($label);
-		$kernellist.="\tmenuentry \"$label\" --unrestricted { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
+		$kernellist.="\tmenuentry \"$label\" { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
 	}
 
 	my $GRUB_CFG_NEW=<<"EOF";
@@ -266,12 +266,12 @@ insmod all_video
 
 if [ -e /etc/local/USB.usb ]; then
 	set default="mariuxUSB"
-	menuentry "mariuxUSB" --unrestricted { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
+	menuentry "mariuxUSB" { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 else
 
 menuentry "$MARIUX_DEFAULT" --unrestricted { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 
-submenu "$submenu" --unrestricted {
+submenu "$submenu" {
 $kernellist
 }
        if [ \$chosen ]; then