static configuration flag

[Sven Jaborek]

Hello grub devels,

i've got a question about grubs role in the security of a computer boot
up.

I recently learned that i can gather root-previlidges without a root
password on allmost every linux default installation out there. Just
pressing e and edit the kernel commands and add init=/bin/bash.
I also was told that the way to avoid this is a grub password.

Now, i think that the grub password is not a appropriate solution to the
problem, every user needs to know it and timeout is not possible.

Lets talk about a notebook, i dont want someone to get root-previledges
that easy. But i dont want to enter 2 oder 3 passwords on start up, i
believe the login screen is good enough for me.
Therefore i set the bios to only boot from hd and protect this with a
bios-setup password.
Then i would expect grub to have one or two features that i could not
find yet.
I call the first one "static configuration flag", the config should have
a flag that makes grubs menu static. I can boot all the systems with the
options in the menu.lst but not modify them. Just menu, not more.

The second one is "changes get password protected", as name says. I can
use the menu with the options in menu.lst, but editing them requires a
password.
I could even imagine setting a password as an option of every single
entry in grub, but not the default one.

Have i overlooked such features and they are allready there? Or are
there constraints that cause them to not be there?

regards, Sven Jaborek