From 0fff9e7e354e97c4857ee4299ad5124d4f2b6180 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Fri, 29 Nov 2019 13:43:22 +0100 Subject: [PATCH] mxgrub: Restrict entry editing and command line prompt Remove `--unrestricted` from the Linux boot entries, as that allows to edit the entries. Allowing unrestricted access to a submenu allows unprivileged users to enter the command-line interface by pressing the key *c*. So, restrict the access. As a result, only the default Linux kernel can be started without entering credentials. [1]: https://www.gnu.org/software/grub/manual/grub/grub.html#Security [2]: https://philosophos.github.io/articles/20170304~Password-Protection-of-GRUB-Menu/ --- mxgrub/mxgrub | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mxgrub/mxgrub b/mxgrub/mxgrub index 48d579e9..07e7dbd4 100755 --- a/mxgrub/mxgrub +++ b/mxgrub/mxgrub @@ -249,7 +249,7 @@ sub update_grub_cfg { for my $label (@MARIUX) { my $image=label_to_image($label); - $kernellist.="\tmenuentry \"$label\" --unrestricted { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n"; + $kernellist.="\tmenuentry \"$label\" { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n"; } my $GRUB_CFG_NEW=<<"EOF"; @@ -266,12 +266,12 @@ insmod all_video if [ -e /etc/local/USB.usb ]; then set default="mariuxUSB" - menuentry "mariuxUSB" --unrestricted { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz } + menuentry "mariuxUSB" { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz } else menuentry "$MARIUX_DEFAULT" --unrestricted { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz } -submenu "$submenu" --unrestricted { +submenu "$submenu" { $kernellist } if [ \$chosen ]; then