Ubuntu
kdebase package

Disabling Grub 'recovery' mode/s during boot

Asked by ByrondlF

Kubuntu (FF) allows for root login in the Grub 'recovery' mode during boot. I don't like this feature because non-admin users will very quickly realize they can get admin access by just hitting the Esc key during boot. How can I (the sudo admin) turn this feature off? I myself, a kubuntu newbie, have never used root.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu kdebase Edit question
Assignee:
No assignee Edit question
Solved by:
Hanusz leszek
Solved:
Last query:
Last reply:
Revision history for this message
KÜRŞAD SEZAİ TÜRKER (kursad.turker) said : 		#1

Hello,

nYou should assign a password for Root and for recovery also. Is any body could tell in a detailed way that how we cab change the setting at this side? (Sorry for giving a question as an answer to a question... :)

Your Sincerely

Revision history for this message
Best Hanusz leszek (leszek-skynet) said : 		#2

Hello,

First you should know that removing the recovery mode won't stop any potential attacker which has physical access to the computer.
And it is probably a bad idea since you could need it if you have a problem later.

That being said, it is possible to remove this line.
Enter the following in a terminal:
sudo kate /boot/grub/menu.lst

then remove those lines where recovery mode is present (BE VERY CAREFUL, DON'T REMOVE YOUR NORMAL KERNELS):

title .......... (recovery mode)
root .........
kernel ..........
initrd ...........

then save the file

Revision history for this message
ByrondlF (byron-dlf) said : 		#3

Thanks Hanusz leszek, that solved my question.

Revision history for this message
XXXXXXXXXXXX (xugular) said : 		#4

Hi, I think there's a better solution, because like described above by Hanusz leszek it will work as long as you don't update your system to a new version of the kernel. If you update your kernel you will have to edit again this file.

To avoid that happening, use the " alternative " parameter in the AUTOMAGIC KERNEL LIST section of the grub's configuration file.

An alternative is known as any boot option of the kernel that is not the main one. The recovery mode falls in this category.

So, edit the Grub configuration file in /boot/grub/menu.lst. Type this in a terminal:

(in kubuntu)
$ sudo kate /boot/grub/menu.lst

(in ubuntu)
$ sudo gedit /boot/grub/menu.lst

In the section: ### BEGIN AUTOMAGIC KERNELS LIST set " alternative " to false. It should endup like this:

## should update-grub create alternative automagic boot options
## e.g. alternative=true
## alternative=false
# alternative=false

Note that in the automagic section the lines beggining with a '#' are not comments, so do not erase them. Comments in this section start with ##.

Revision history for this message
XXXXXXXXXXXX (xugular) said : 		#5

I forgot, so when you saved this file. You have to make grub reload its configurations (this will rewrite menu.lst).

In a terminal type:

$ sudo update-grub

Revision history for this message
XXXXXXXXXXXX (xugular) said : 		#6

Now I will describe a way to secure the recovery mode without disabling it. I will explain this quickly because i dont have enough time.

First enable password in the grub's configuration file (again, /boot/grub/menu.lst).

1. Make an md5-encrypted password

Type the command in terminal.

$ grub

Inside the grub console

grub> md5crypt
Password: *****
Encrypted: $1$z9iw0/$4BG5OPAUscGiehpg7E1Bg1
grub> quit

That strange line is an example of how like your encrypted password should look like, save it.

2. Now add this line in the password section in menu.lst:

password --md5 $1$z9iw0/$4BG5OPAUscGiehpg7E1Bg1

3. Set lockalternative to true in the AUTOMAGIC KERNEL LIST SECTION

## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
## lockalternative=false
# lockalternative=true

That's it.

Also if you only want grubn to display your latest version of the kernel only set ' howmany ' to 1.

## controls how many kernels should be put into the menu.lst
## only counts the first occurence of a kernel, not the
## alternative kernel options
## e.g. howmany=all
## howmany=7
# howmany=1

Hope it's useful.