GRUB2: gaining root without a password

The problem

GRUB2, by default, does not protect against configuration changes.

To temporarily change the default GRUB2 configuration, you:

  1. Power on the machine
  2. Continouosly tap the ESC key (or maybe hold down the Shift key)
  3. Get to the GRUB2 screen
  4. Press “e”

The exploit(s)

As you can imagine, modifying the boot options used is not ideal. For starters, someone could boot a malicious USB drive (if Secure Boot is enabled) and do all sort of bad stuff.

The easiest method to gain control of the machine, however, is by directly booting into a BASH shell. This is done by hijacking the init process and replacing it with the path to the shell, i.e. /bin/bash:

  1. Power on the machine
  2. Continouosly tap the ESC key
  3. Get to the GRUB2 screen GRUB2 selection screen
  4. Press “e” GRUB2 configuration editing screen
  5. Find the line starting with “linux” GRUB2 configuration editing screen
  6. Append init=/bin/bash GRUB2 configuration editing screen
  7. Press Ctrl+x or F10 to boot

Shutting down

After booting, you might’ve tried to shut down or reboot the machine, only to see a message similar to the following:

System has not been booted with systemd as init system (PID 1).

This happens because init is supposed to take care of shutting down or rebooting the system. However, we have hijacked it and made it /bin/bash, so what if you can’t find the power button, or are working remotely?

The fast and easy fix is to press or send the key combination of Ctrl+Alt+Del, this will immediately shut down (or reboot, depending on the configuration) the machine.

The solution

To fix this, there is, generally speaking, only one reliable solution: setting a password for editing the configuration.

You might also want to disable the recovery boot option by editing /etc/default/grub and setting GRUB_DISABLE_RECOVERY=true.

Setting a password:

https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu