New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support locking down grub with a password #1597

Closed
marineam opened this Issue Oct 5, 2016 · 2 comments

Comments

Projects
None yet
4 participants
@marineam

marineam commented Oct 5, 2016

From email:

I am using coreos on vSphere ESXi and I'm trying to prevent edits to grub menu entries.
One of the use cases is to prevent a user with access to console from setting coreos.autologin.

After securing grub (/usr/share/oem/grub.cfg) with a password, I'm noticing that even executing the menu entries requires authentication.
I'm looking to secure grub such that editing via grub menu is prevented but executing is not. In other words, I should be able to boot to coreos without having to authenticate.

After some further digging, perhaps the grub menu entries are missing a --unrestricted option?

Restricting access to editing the command line would also be applicable to systems locked down by secure boot.

@jhawkins1

This comment has been minimized.

jhawkins1 commented Jan 23, 2017

Any timeline on when this issue may get resolved? If this just needs a Developer to do the fix, we can do this and request a pull.

@bgilbert

This comment has been minimized.

Member

bgilbert commented May 23, 2018

This should be fixed in 1786.0.1, due shortly. Thanks for reporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment