After discovering and working around a bug in grub2-set-password
, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.
Grub 2.06 documentation states that
Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.
The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.
So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?
The grub documentation page above shows ways to interpret different menuentry
lines in grub.cfg
from the perspective of authentication. Unfortunately,
- Fedora generates
grub.cfg
from a set of files, and the resultinggrub.cfg
is not supposed to be edited directly. - The resulting
grub.cfg
is cumbersome to interpret, and does not containmenuentry
lines for the different entries. - I have not found any documentation on how the execution of non-default entries should be done.
Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/
. Every file sets grub-arg --unrestricted
, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.
Edit 2. I can nowalso see that grub_arg --unrestricted
has been hard coded into the new version of grubby
, which is just a bash script in F38.
So I guess I should make a feature request for Fedora.the question is: For non-default grub entries, how does one correctly override grub_arg --unrestricted
, which is hard-coded into grubby
?