Why you need to password protect GRUB

In an earlier post I showed how to password protect the GRUB boot loader, but didn’t go into detail why it’s necessary. Without password protection, GRUB can be used to bypass the normal password login, and open a shell as root. While that can be useful, it’s something that definitely should have limited access.

When starting the machine, enter into the GRUB menu; pressing e will open the editor:

Scroll to the line that begins with linux and add init=/bin/sh

Ctrl-x will continue with the boot process, and we are taken to a shell as root! And from here any sort of nonsense and bad stuff could happen.

As you can see, if the GRUB boot loader isn’t password protected from editing, it can easily be used to circumvent the normal login process. However, this shell is also useful when you need to recover a system you have been accidentally locked out of or otherwise misconfigured. Don’t try this out unless you are authorized to, and be careful when making changes to GRUB, you can make a mess quite easily.