寻求更好的解决方案来限制 GRUB2 菜单的访问

寻求更好的解决方案来限制 GRUB2 菜单的访问

我刚刚读到在某些情况下您还应该通过设置密码来保护对 GRUB2 菜单的访问,并且可以通过添加--unrestricted--users作为菜单项和子菜单的参数来优化访问。

我读了Ubuntu 社区文档建筑维基。因此,我创建了/etc/grub.d/01_security,在其中存储了用户名和密码,使文件可执行并运行update-grub。这按预期工作,菜单中的每个操作都会提示输入用户名和密码,但我还想修改自动生成的条目,以将它们限制为特定用户(通过--users)或使它们对所有人都可用,但不是每个人都可以编辑(通过--unrestricted)。

我能够找到正确的行10_linux并进行相应的编辑,但是我希望看到更简单的解决方案。也许可以使用类似GRUB_DISABLE_RECOVERY="true"或 的选项GRUB_DISABLE_OS_PROBER=true/etc/default/grub轻松(重新)配置(针对 linux 和 os-prober 生成的条目)。

这与我的 13.10 安装有区别:

$ diff /etc/grub.d/10_linux /etc/grub.d/10_linux_bak
123c123
<       echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --unrestriced \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^$
---
>       echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_inde$
125c125
<       echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_$
---
>       echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
323c323
<     echo "submenu --unrestricted '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_$
---
>     echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"

总结:我希望看到一个简单的解决方案,用于解决没有密码就无法修改或仅限于特定用户的 GRUB2 条目。(是的,GRUB_DISABLE_RECOVERY="true"是活动的。)

答案1

好的,我发现 中的变量由中/etc/default/grub读取和导出。以下补丁是我所想的,希望它符合修改文件的质量要求和编码标准。 的补丁应该类似,希望明天发布。grub-mkconfig/usr/sbin/30_os-prober

如上所述,变量应以/etc/default/grub类似 so GRUB_PWRESTRICTION_LINUX="--users user1"或 so 的方式定义GRUB_PWRESTRICTION_LINUX="--unrestricted"

我期待您的反馈。

--- /usr/sbin/grub-mkconfig-orig    2013-10-19 11:22:56.653129020 +0200
+++ /usr/sbin/grub-mkconfig 2013-10-19 11:49:34.961392887 +0200
@@ -230,6 +230,12 @@
   GRUB_ENABLE_CRYPTODISK \
   GRUB_BADRAM \
   GRUB_RECORDFAIL_TIMEOUT
+  GRUB_PWRESTRICTION_LINUX \
+  GRUB_PWRESTRICTION_OS_PROBER_LINUX \
+  GRUB_PWRESTRICTION_OS_PROBER_WINDOWS \
+  GRUB_PWRESTRICTION_OS_PROBER_MACOSX \
+  GRUB_PWRESTRICTION_OS_PROBER_EFI \
+  GRUB_PWRESTRICTION_OS_PROBER_HURD

 if test "x${grub_cfg}" != "x"; then
   rm -f "${grub_cfg}.new"
--- /etc/grub.d/10_linux-orig   2013-10-19 23:28:50.195071600 +0200
+++ /etc/grub.d/10_linux    2013-10-19 23:40:17.429375336 +0200
@@ -120,9 +120,17 @@
      title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
      grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
       fi
-      echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+        echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      else
+        echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      fi
   else
-      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+        echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      else
+        echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+      fi
   fi      
   echo "recordfail" | sed "s/^/$submenu_indentation/"
   if [ x$type != xrecovery ] ; then
@@ -320,7 +328,11 @@
    boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
     fi
     # TRANSLATORS: %s is replaced with an OS name
-    echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+    if [ x"${GRUB_PWRESTRICTION_LINUX}" != x ]; then
+      echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' "${GRUB_PWRESTRICTION_LINUX}" \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+    else
+      echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+    fi
   fi

   linux_entry "${OS}" "${version}" advanced \

相关内容