Bootloader password - existing content found in /etc/grub.d/01_users

Question

I need to set a bootloader password and am apprehensive about changing the existing config (per warning about potentially making a system unbootable).

RH documentation says to add the following lines:

cat <<EOF
set superusers="john"
password john johnspassword
EOF

The current /etc/grub.d/01_users file already has this at the top:

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF

Should I append the first part below the existing EOF, replace the existing content altogether, or something else?

Just went through this in a test install of rhel7 in VirtualBox. Replaced existing content in 01_users with the updated bit. Rebuilt grub image and rebooted. I have a boot loader password that works, and the systmem boots normally. — a coder, Feb 02 '16 at 20:32

score 1 · Accepted Answer · answered Sep 29 '16 at 12:08

Install grub2-tools, you will find /usr/sbin/grub2-setpassword in there. That is what the current contents are made for.

Running the grub2-setpassword binary will generate /boot/grub2/user.cfg containing:

GRUB2_PASSWORD=grub.pbkdf2.sha512.***

You can do this manually, just cat /usr/sbin/grub2-setpassword and see what actions to take. Basically run /usr/bin/grub2-mkpasswd-pbkdf2 and enter the content in the named user.cfg file.

Bootloader password - existing content found in /etc/grub.d/01_users

1 Answers1