我刚刚读到在某些情况下您还应该通过设置密码来保护对 GRUB2 菜单的访问,并且可以通过添加--unrestricted或--users作为菜单项和子菜单的参数来优化访问。
我读了Ubuntu 社区文档和建筑维基。因此,我创建了/etc/grub.d/01_security,在其中存储了用户名和密码,使文件可执行并运行update-grub。这按预期工作,菜单中的每个操作都会提示输入用户名和密码,但我还想修改自动生成的条目,以将它们限制为特定用户(通过--users)或使它们对所有人都可用,但不是每个人都可以编辑(通过--unrestricted)。
我能够找到正确的行10_linux并进行相应的编辑,但是我希望看到更简单的解决方案。也许可以使用类似GRUB_DISABLE_RECOVERY="true"或 的选项GRUB_DISABLE_OS_PROBER=true来/etc/default/grub轻松(重新)配置(针对 linux 和 os-prober 生成的条目)。
这与我的 13.10 安装有区别:
$ diff /etc/grub.d/10_linux /etc/grub.d/10_linux_bak
123c123
< echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --unrestriced \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^$
---
> echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_inde$
125c125
< echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_$
---
> echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
323c323
< echo "submenu --unrestricted '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_$
---
> echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
总结:我希望看到一个简单的解决方案,用于解决没有密码就无法修改或仅限于特定用户的 GRUB2 条目。(是的,GRUB_DISABLE_RECOVERY="true"是活动的。)
答案1
好的,我发现 中的变量由中/etc/default/grub读取和导出。以下补丁是我所想的,希望它符合修改文件的质量要求和编码标准。 的补丁应该类似,希望明天发布。grub-mkconfig/usr/sbin/30_os-prober
如上所述,变量应以/etc/default/grub类似 so
GRUB_PWRESTRICTION_LINUX="--users user1"或 so 的方式定义GRUB_PWRESTRICTION_LINUX="--unrestricted"。
我期待您的反馈。
--- /usr/sbin/grub-mkconfig-orig 2013-10-19 11:22:56.653129020 +0200
+++ /usr/sbin/grub-mkconfig 2013-10-19 11:49:34.961392887 +0200
@@ -230,6 +230,12 @@
GRUB_ENABLE_CRYPTODISK \
GRUB_BADRAM \
GRUB_RECORDFAIL_TIMEOUT
+ GRUB_PWRESTRICTION_LINUX \
+ GRUB_PWRESTRICTION_OS_PROBER_LINUX \
+ GRUB_PWRESTRICTION_OS_PROBER_WINDOWS \
+ GRUB_PWRESTRICTION_OS_PROBER_MACOSX \
+ GRUB_PWRESTRICTION_OS_PROBER_EFI \
+ GRUB_PWRESTRICTION_OS_PROBER_HURD
if test "x${grub_cfg}" != "x"; then
rm -f "${grub_cfg}.new"
--- /etc/grub.d/10_linux-orig 2013-10-19 23:28:50.195071600 +0200
+++ /etc/grub.d/10_linux 2013-10-19 23:40:17.429375336 +0200
@@ -120,9 +120,17 @@
title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ else
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ fi
else
- echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+ echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ else
+ echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ fi
fi
echo "recordfail" | sed "s/^/$submenu_indentation/"
if [ x$type != xrecovery ] ; then
@@ -320,7 +328,11 @@
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
# TRANSLATORS: %s is replaced with an OS name
- echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+ echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ else
+ echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ fi
fi
linux_entry "${OS}" "${version}" advanced \