Wednesday, 27 February 2013

RHCSA: The GRUB Bootloader

Currently supported Red Hat systems use the GRUB (GRand Unified Bootloader). Older Red Hat systems used to use a different bootloader, LiLo (Linux Loader) but for the Red Hat exams you only need to know about GRUB. The GRUB bootloader reads its config from /etc/grub.conf. Here is what is contained in my /etc/grub.conf file:

 # grub.conf generated by anaconda  
 #  
 # Note that you do not have to rerun grub after making changes to this file  
 # NOTICE: You have a /boot partition. This means that  
 #     all kernel and initrd paths are relative to /boot/, eg.  
 #     root (hd0,0)  
 #     kernel /vmlinuz-version ro root=/dev/mapper/vg_cordelia-lv_root  
 #     initrd /initrd-[generic-]version.img  
 #boot=/dev/sda  
 default=0  
 timeout=5  
 splashimage=(hd0,0)/grub/splash.xpm.gz  
 hiddenmenu  
 title Red Hat Enterprise Linux Client (2.6.32-358.el6.x86_64)  
      root (hd0,0)  
      kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_cordelia/lv_swap rd_LVM_LV=vg_cordelia/lv_root rd_NO_DM rhgb quiet crashkernel=auto  
      initrd /initramfs-2.6.32-358.el6.x86_64.img  
 title Red Hat Enterprise Linux Client (2.6.32-279.22.1.el6.x86_64)  
      root (hd0,0)  
      kernel /vmlinuz-2.6.32-279.22.1.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_cordelia/lv_swap rd_LVM_LV=vg_cordelia/lv_root rd_NO_DM rhgb quiet crashkernel=auto  
      initrd /initramfs-2.6.32-279.22.1.el6.x86_64.img  

The file is pretty easy to read. Reading down the file, we can see default=0, which means it will choose the first stanza as the default kernel  and kernel options to boot from. Next we see timeout=5, meaning that the GRUB menu will remain on the screen for 5 seconds before moving on and booting from the first stanza. The next line, hiddenmenu, means you will need to press a key to enable to the menu at boot time otherwise it will pause for 5 seconds for a keypress before booting the default option.
Next up is the first stanza, containing the title given to this boot choice and in brackets the kernel. Next line we see the device and partition that the system will boot from, followed by the location of the kernel and the boot options appended to the end of the line. Lots of boot options here, at this study level we aren't required to know about all of them. What we do need to be aware of though, is that we can append boot options to the end of this line. To do this, we need to press the 'e' key on the GRUB menu. Here's what the menu looks like on a Fedora system:


If we were to press the 'e' key on the GRUB menu and then add a number 1 to the end of the boot options, that would boot the system into single-user mode. Single-user mode can be thought of as similar to Safe Mode on a Windows system, it boots up with a minimum of services running and can be used for troubleshooting problems. Because single-user mode boots us straight into the root account, we can reset the root user's password. While this is great if you are the only person who will ever have access to the system, it isn't so great from a security standpoint - if you can reset the root password you can perform any kind of system admininistration task, delete users, uninstall critical services, delete config file etc. I wouldn't like to leave GRUB open on any system I maintain, so it's possible to password protect the GRUB menu, here's how:


As root, type grub-md5-crypt at a command prompt. You will be prompted for a password and then asked to repeat it before the password is hashed and the hash of the password is echoed back to your screen:

 [root@rhel6 ~]# grub-md5-crypt   
 Password:   
 Retype password:   
 $1$isrO31$O6vMiDSfnaeOlepqP4ceA

You can then take the hashed password and add it to your grub.conf file like so:


 # grub.conf generated by anaconda  
 #  
 # Note that you do not have to rerun grub after making changes to this file  
 # NOTICE: You have a /boot partition. This means that  
 #     all kernel and initrd paths are relative to /boot/, eg.  
 #     root (hd0,0)  
 #     kernel /vmlinuz-version ro root=/dev/mapper/vg_cordelia-lv_root  
 #     initrd /initrd-[generic-]version.img  
 #boot=/dev/sda  
 default=0  
 timeout=5  
 splashimage=(hd0,0)/grub/splash.xpm.gz  
 hiddenmenu  
 password --md5  $1$isrO31$O6vMiDSfnaeOlepqP4ceA
 title Red Hat Enterprise Linux Client (2.6.32-358.el6.x86_64)  
      root (hd0,0)  

By doing this, you can protect your GRUB menu from those who gain physical access to your system, the menu will now require you to press 'p' to enter your password before you can proceed to press 'e' to change the kernel boot options.

More information about GRUB is available here:

http://www.gnu.org/software/grub/manual/grub.html

and of course in the man pages on your system.

No comments:

Post a Comment