I have never tried to implement this feature in RHEL7.x, RHEL8.x, not RHEL9.x.
I would like to work with it for security purposes to learn about it and how to master interaction with it.
What commands, what files, on what specific lines (beginning to end) do I need to modify in order to force RHEL9 menu entries to be --restricted, please?
I cannot find anything poignant on this topic, not even at RedHat.com.
GNU GRUB Manual 2.12 does not mention --restricted
, but does show --unrestricted
and --users
The boot loader entry for new kernel is created by grubby
. Well, it actually calls kernel-install
from systemd-udev
. That in turn uses /usr/lib/kernel/install.d/20-grub.install
, which is hardcoded to inject
grub_arg --unrestricted
into the entry. Hence entries for all kernels have --unrestricted
If grub2-mkconfig
’s /etc/grub.d/30_os-prober
adds chainloader for, e.g. Windows, those entries do not have --unrestricted
Therefore, on dual boot machine that sets GRUB2_PASSWORD
in /boot/grub2/user.cfg
, all the Alma kernels boot without authorization, but to boot the Windows entry does require password.
In other words, you want to avoid the --unrestricted
. Touching the /usr/lib/kernel/install.d/20-grub.install
does not seem healthy, but you obviously can update the entries in /boot/loader/entries/
to strip out the grub_arg --unrestricted
@jlehtone thank you sir.
I was reading this article from 2019 How to lock down a specific operating system in grub.
I did observe that no matter what changes I made to the 30-os_prober file, there never were any kernel options in the GRUB2 menu with a ‘–unrestricted’ listed, which caught my eye too.
So, I am guessing based on your feedback that ‘–unrestricted’ has been deprecated for implicitly being in place, whereas ‘–restricted’ is explicitly implemented?
The author of that 2019 answer uses “--restricted
” once and not in any of the examples. I bet that the author made a typo and did intend to write “--unrestricted
”.
As I said, there is no “--restricted
” in GRUB manual. Probably never has been. Not a thing.
The /boot/grub2/grub.cfg
(in EL) sources /boot/grub2/user.cfg
(if that exists).
If it does get the variable GRUB2_PASSWORD
, then grub.cfg sets password.
- If no password is set, then anonymous user can boot and edit any boot entry
- If password is set, then anonymous user can boot only entries that contain
--unrestricted
, and not edit any entries
Apparently Fedora and RHEL have --unrestricted
hardcoded in the entries for distro’s kernels (but not for entries of other OS). The --unrestricted
is not deprecated.
Thanks @jlehtone, I am going to close this post out then.
I do remember seeing ‘–restricted’ 7+ years ago too, so who knows.
Thanks again.