GRUB锁定密码

PaperDragon2025年1月19日...大约 2 分钟
GRUB锁定密码

该方法用于设置一个无法修改的用户密码，即使已经拥有root权限并且已经修改了密码，重启设备密码会自动恢复。
修改如下文件

L79-L88
[root@ubuntu grub2]# cat grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
set pager=1

if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="${saved_entry}"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

terminal_output console
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
set tuned_initrd=""
### END /etc/grub.d/00_tuned ###

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi
### END /etc/grub.d/01_users ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'CentOS Linux (5.4.119-19-0006) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-5.4.119-19-0006-advanced-a96bb1f6-5e36-4743-8e86-8d3810f5ba85' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2'  cb7790e2-0c09-42e6-88eb-987694de829b
	else
	  search --no-floppy --fs-uuid --set=root cb7790e2-0c09-42e6-88eb-987694de829b
	fi
	linux16 /vmlinuz-5.4.119-19-0006 root=UUID=a96bb1f6-5e36-4743-8e86-8d3810f5ba85 ro mgag200.modeset=0 ixgbe.allow_unsupported_sfp=1 vga=0x317 intel_iommu=on iommu=pt pci=realloc nousbstorage crashkernel=auto rhgb quiet 
	initrd16 /initramfs-5.4.119-19-0006.img
}
menuentry 'CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1160.el7.x86_64-advanced-a96bb1f6-5e36-4743-8e86-8d3810f5ba85' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2'  cb7790e2-0c09-42e6-88eb-987694de829b
	else
	  search --no-floppy --fs-uuid --set=root cb7790e2-0c09-42e6-88eb-987694de829b
	fi
	linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=UUID=a96bb1f6-5e36-4743-8e86-8d3810f5ba85 ro mgag200.modeset=0 ixgbe.allow_unsupported_sfp=1 vga=0x317 intel_iommu=on iommu=pt pci=realloc nousbstorage crashkernel=auto rhgb quiet 
	initrd16 /initramfs-3.10.0-1160.el7.x86_64.img
}
menuentry 'CentOS Linux (0-rescue-5737ebefe3cb44a2865fe1136b8df871) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-5737ebefe3cb44a2865fe1136b8df871-advanced-a96bb1f6-5e36-4743-8e86-8d3810f5ba85' {
	load_video
	insmod gzio
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 --hint='hd0,msdos2'  cb7790e2-0c09-42e6-88eb-987694de829b
	else
	  search --no-floppy --fs-uuid --set=root cb7790e2-0c09-42e6-88eb-987694de829b
	fi
	linux16 /vmlinuz-0-rescue-5737ebefe3cb44a2865fe1136b8df871 root=UUID=a96bb1f6-5e36-4743-8e86-8d3810f5ba85 ro mgag200.modeset=0 ixgbe.allow_unsupported_sfp=1 vga=0x317 intel_iommu=on iommu=pt pci=realloc nousbstorage crashkernel=auto rhgb quiet 
	initrd16 /initramfs-0-rescue-5737ebefe3cb44a2865fe1136b8df871.img
}
if [ "x$default" = 'CentOS Linux (5.4.119-19-0006) 7 (Core)' ]; then default='Advanced options for CentOS Linux>CentOS Linux (5.4.119-19-0006) 7 (Core)'; fi;
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###