I’m setting up some Red Hat VMs and I thought I’d add a grub password to get access to the recovery boot options that would automatically log you in as root. There frankly isn’t a lot of value to it – it’s a very minor obstacle for an attacker with half a clue, but what the heck, I thought – it doesn’t cost much.
Or so I thought. RHEL (Red Hat Enterprise Linux) 6 still uses the “GRUB legacy” bootloader (RHEL 7, in beta, finally makes the leap to GRUB2.) But the example of how to specify a secondary password-protected boot menu just wasn’t working.
password PASSWORD /boot/grub/menu-admin.lst
My problem was that /boot was its own partition and the config specified a root parameter that rendered all filepaths relative to /boot, so I needed /grub/menu-admin.lst instead. The documentation isn’t actually wrong, but it could stand to lean on this point a lot more heavily: putting /boot on its own partition has been the norm for a long time.
Googling around, I found page after page of “How to configure grub” articles including the example from the manual, and not a damn one of them mentioned this point. Not even when the rest of their example configurations did the same thing as mine and would have had the some problem, i.e., not a damn one of the authors had actually tried it. They were just regurgitating documentation to puff up their article count.
Here’s my pledge of quality: I don’t give a damn about my article count.