linux grand unified bootloader (grub) · 2018. 11. 30. · very first sections of your hard drive ....

Linux Grand Unified Bootloader (GRUB)

Table of Contents

Grand Unified Bootloader (GRUB) .................................................................................................. 2

Legacy GRUB ................................................................................................................................... 3

Configuring Legacy GRUB -1 ........................................................................................................... 5

Configuring Legacy GRUB -2 ........................................................................................................... 7

Legacy GRUB Security Considerations -1 ........................................................................................ 9

Legacy GRUB Security Considerations -2 ...................................................................................... 11

GRUB Security Advantages and Disadvantages ............................................................................ 12

GRUB2 ........................................................................................................................................... 14

/etc/grub.d .................................................................................................................................... 16

GRUB2 Security Considerations .................................................................................................... 18

/etc/grub.d .................................................................................................................................... 19

GRUB2 Security Considerations .................................................................................................... 21

Notices .......................................................................................................................................... 22

of 22

Grand Unified Bootloader (GRUB)

8

Grand Unified Bootloader (GRUB)

Has become the standard for boot management for many years

Used in RHEL and CentOS flavors of Red Hat, as well as SUSE

Often called Legacy GRUB

GRUB2 used in Fedora, Ubuntu, and other distributions

Can be upgraded or downgraded depending on which distribution you are using

• It is best to stick with the bootloader that was originally installed with the distribution for compatibility.

**008 So Grand Unified Bootloader stands for GRUB. GRUB is the utility that replaces your master boot record on your hard disk. What's the mast boot record? The master boot record resides on the very first sections of your hard drive and it looks for the first bootable partition and boots it automatically. So GRUB provides us an interactive interface to choose which OS we want to boot, or which version of a kernel within an existing OS, if we're using Linux, that we want to boot.

of 22

There's two main versions of GRUB. There's the original, which is now called Legacy GRUB, which is mainly used by Red Hat Enterprise Linux and CentOS; and then GRUB2, which is the newest, latest and greatest, is used by Fedora, Ubuntu and a lot of the other newer distributions.

Legacy GRUB

9

Legacy GRUB

The standard GRUB configuration file is located in /boot/grub/menu.lst

0

1

**009 So let's explore the GRUB configuration file a little bit. So the GRUB configuration file is stored in /boot/grub and it's called menu.lst. The first two values there. The default specifies what's going to be

of 22

the first- what's going to be the default operating system or kernel we're going to a boot. And in this we've identified zero. So what does zero mean? So if we look further down the file, you can see in this case we have two titles. These titles represent different kernels of the Linux operating system; but in the same OS install. A title can be any name that you specify. But we can see in this example we're looking at two different ones where we have 2.6.32 - 358.6.2; and this one is an earlier version, which is this -358. This is common when Linux automatically upgrades a kernel in the operating system, it'll let you back- it's let you-- it'll create a boot entry to the previous kernel in case you have difficulties. So the order they're listed here is the order that they're numbered, starting with 0. So the first one listed, which is the newer kernel, is 0; and the second one is 1. So when we say default equals 0, that means by default if we don't do any action when the computer boots, we're going to boot into that entry on the first line. Now how long is it going to wait for me to decide if I want to choose another option to boot? Well it's going to wait five seconds; that's what the timeout means.

of 22

Configuring Legacy GRUB -1

10


hiddenmenudoes not show the complete menu, just the countdown

root(hd0,0)harddrive and partition where kernel is located

kernelinitial RAM disk file where drivers and modules are located to boot

root=/dev/mapper/vg_virtualrhel-lv_rootRoot partition location

**010 So there's a lot of other stuff in this configuration file; and let's step through some of those other options. So we already talked about default equals 0 and timeout equals 5; and what those do. 'splashimage'; you can provide a simple graphic when you boot up, nothing too fancy. 'hiddenmenu'; so when you first boot into GRUB it'll just say: Going to boot in five seconds; unless you push a key, like Escape. If you push Escape, then it'll show you the menu options

of 22

and let you choose which one you want to boot into. 'hiddenmenu' won't show the options, it'll just say: Booting. And it'll wait five seconds for you to do something. If you don't, it'll go into the default option. The 'root' option. So in this case we have, like I mentioned earlier, the title, which you can specify to be anything you want that doesn't-- make it as descriptive as you can, so you know what you're talking about. But anywhere you've got the 'root' option tells you which hard drive and partition to look for, for the kernel that we're going to boot. So harddrive0,0 means-- the first number 0 is the hard drive, the first hard drive in the system; 1 for the second hard drive. And again it starts at 0, much like the boot options or the menu options. And the second number represents which partition. The first partition is 0 again; second partition is 1, 2 and so forth and so on. So now we've decided where the kernel is located. Now what's the actual name of the kernel we're going to locate, that we're actually going to boot? So in the option here, in this case it's called vmlinu-2.6.32 etcetera. That's the name of the actual kernel that is going to boot. Now when we have the root equals, that's saying: Okay so where is the root partition located on the drive?

of 22

So here you'll notice that it's not an actual drive that we're indicating. So if it were actually indicating a physical drive, we'd say /dev/hd0 or hd1. In this case it's a- they're using a virtual- a logical virtual manual- a logical disk manager for managing partitions. So in this case it's a filename to specify where the root of the partition is located; the slash, the very root of the file system.


11


rd_LVM_LVIdentifies and activates the logical volumes

rhgb quiethide the boot messages by default

**011 And since we're using a logical disk- a logical volume manager for our partitions, we also need to identify and activate those volumes. So in this case we use 'rd_LVM-LV'. And if we look in our

of 22

little sample here, we're going to see our root, rd_LVM_LV equals vg_virtualrhel_root. And then we're also going to identify where our swap is with this next version of it, with lv_swap. Most of these options will be configured for you when you install your kernel or you do your initial install of any Linux operating system. These are not commonly changed options. And last is the 'rhgb quiet' . So usually when Linux boots you can show a very verbose series of bootup descriptions. So it'll show a very device that's loaded. It'll just be line after line of what the OS is actually doing as it boots. If we use 'quiet' it's not going to show any of that. It'll usually just show a screen saying we're booting.

of 22

Legacy GRUB Security Considerations -1

12


Because physical access to a system or console access through a virtual machine may be available, it is important to lock down boot options within the menu.

If the GRUB menu and boot partitions are not secured with a password, a user can restart a system and either access the single user mode, allowing them to change the root password, modify the GRUB menu, or change the run level of a given partition.

To secure GRUB we must configure it to prompt for a password in order to boot a partition.

**012 So when we boot into GRUB we-- when we boot up the computer we get our boot menu and we can choose which volume we want to access. And usually one of these options, one of the menu items, will also be single-user mode. Single-user mode allows you to access a recovery mode that drops you right into a root prompt. So we don't want users being able to do that. We also don't want users being able to modify the boot entries and being able to boot in ways that we didn't intend; because that can cause security concerns.

of 22

So to be able to access this, you first have to have physical access to the machine. So this is less of a concern if your physical machines are locked up in a data center where you don't have to worry about people actually getting to the actual menus on the console. But it's a lot more common now that we're using virtual machines and there's a greater chance that someone can access the virtual machine interface of the console and then be able to boot into single-user mode. Because all a user needs to do is type- be able to reboot the computer in some fashion and they'll get this GRUB menu; which they can then modify. So how do we stop them from doing this? So what we want to do is we want to add passwords to each of those menu items. So each of these menu items can have a different password. So maybe to boot into regular OS you don't have a password, or you have a standard password that you give to your users; but to boot into single-user mode, which gives you root privileges and allows you to do a lot more configuration changes-- or you can use a different password that just administrators have. So let's talk about how we configure those.

of 22


13


To set a GRUB password on a menu stanza, first obtain an encrypted password with grub-md5-crypt.

This password is then pasted into /boot/grub/menu.lst,after the title for the stanza you want to require a password with lock password.

**013 So GRUB uses MD5 to encrypt-- excuse me-- to encrypt the passwords. So from the command prompt-- very simple-- we have to type: grub-md5-crypt. So all this does is give us the MD5 hash of the password that we specify. It doesn't actually put it in the file. All it's doing is generating the MD5 for us. So now we have to go back into our Menu file or our menu.lst file, which contains all our options, and we need to go add that MD5 to the menu item that we want to apply the password to.

of 22

So in this example we'll say-- we're just going to take the first line item, which was Red Hat Enterprise Linux Server, and the version number; and we add lock password --md5, and then we add that md5 that we just created beforehand, using md5-crypt.

GRUB Security Advantages and Disadvantages

14

GRUB Security Advantages and Disadvantages

Advantages for using GRUB password protection.• When configured correctly, implementing GRUB passwords will

secure a system from someone that has physical or console access to the system.

• Users cannot enter the Single User Mode without entering a password.

Disadvantages for using GRUB password protection.• Security can be bypassed if a user boots a live rescue CD.• If a system restarts, it takes someone with physical or console

access to enter the GRUB password before the system can start.

**014 So even though this still provides protection on being able- which menu items you're allowed to boot into-- especially single-user mode-- there's still a serious threat by having any physical access to your Linux install, whether it be through a virtual machine console or through actually going into the data center; because this can all still be bypassed

of 22

by booting off a live CD through a CD-ROM or through a USB, booting into a live CD, which is a standalone version of Linux that doesn't need it to be read into the hard drive. And then using that CD, you can access the file system. And if you can access the file system, then you don't need to enter the password to get into the operating system at the GRUB menu. So your best protection is still to actually keep the physical console secure. And it still doesn't protect from someone physically rebooting the machine. So your best protection there is to also add BIOS protection and not allow CDs and USBs to be bootable devices on your Linux systems.

of 22

GRUB2

15

GRUB2

/boot/grub/grub.cfg replaces menu.lst

Dynamically generated by GRUB scripts located in /etc/grub.d/ using update-grub

/etc/default/grub contains menu settings• GRUB_DEFAULT – default boot partition• GRUB_TIMEOUT – how long to wait

**015 So the second version of GRUB, called GRUB2, completely changes how it maintains its configuration files. So in legacy GRUB we had the menu.lst file which maintained our timeouts, which was going to be the default operating system or kernel we're going to boot; and also maintained the actual menu items and their options. Instead, this has all been turned into a file called grub.cfg. Now I just said it's not stored in a file. But the grub.cfg is not a file that you can access- that you can modify yourself.

of 22

It's a dynamically generated file that's updated- that's created by a number of scripts that are in subdirectories and also by using update-grub. So every time you write update- every time you run update-grub, which you need to do after you make any changes-- so you go look at all these different script files and compile all those script- all those script files into one file, that it'll use when it boots up. So the closest thing we have to the menu.lst file is our /etc/default/grub; which contains our usual menu settings like we'd see in menu.lst minus the actual menu items for the OS's. So such things like the GRUB_DEFAULT, which would be the default boot partition we're going to use, which menu item we're going to use as our default, how long we're going to wait for a user to make an option. And we can also do some theme customizations in here. GRUB has more graphical options for making a pretty boot-up screen with high-res graphics.

of 22

/etc/grub.d

16

/etc/grub.d

00_header – reads /etc/default/grub

10_linux – loads menu entries for default installation

20_xxxx – other distributions

30_os-prober – scan hard disks for other OS’s

40_custom – create additional entries to boot menu

**016 So all those script files that I just mentioned that the update_grub looks at are stored in /etc/grub.d; which is a directory in the etc directory. So these are examples. So they'll have all have the 00_header file. They'll all have 30_os-prober and 40_custom. 10_linux will be your default installation. So instead of having menu items inside our menu.lst file, like we did in the original GRUB, each of those menu items are now separated into their own file in the grub.d directory. Now notice there's numbers before each of them: 00, 10, 20, 30. Those are the order that they're going to be

of 22

listed in the menu when you boot up the machine. So if you wanted to see a different menu item higher up on the list, you would change the number in the front of that file. So the script 00_header reads the default grub file, which contains our timeouts and which one is going to be our default. 110_linux has our default installation; whichever was the one- the default Linux that we installed when we installed GRUB2. And then 20_ are other distributions. So say we have a Windows partition and we're running Red Hat Enterprise Linux, and then we also have an Ubuntu partition. So some common names would be we'd see 20_ubuntu, 20_windows7. And those would be your other options for menu items. And those scripts would identify where those root partitions sit and all those similar options like we saw on the menu.lst. os-prober is a unique one in that it will attempt to go find all the partitions in your system that contain valid operating systems and automatically create menu items for you. Now if we don't want to do this every time we run update -grub, we can change the permissions of os-prober to not be an executable script anymore; and it won't run when the system is booted.

of 22

GRUB2 Security Considerations

17


GRUB2 has made some security improvements to the way passwords are used to boot menu stanzas.

The process of setting a password, now takes 3 steps1. Authorized users must be identified;2. Passwords for the users must be delegated; and3. Menu entries must be modified to use the username/passwords.

There have been several problems/bugs with using GRUB2 passwords on various distributions including Red Hat and Ubuntu.

• Because of these bugs, showing the steps to implement password protection may be inaccurate.

**017 So in GRUB2 we talked about how we can use md5 and assign a password to each of the menu items in menu.lst. Now that's a very simple method that just does it to those menu items and only gives you one password for that menu item. With GRUB2 we can now define users and give each user a unique password; and define each of those users to different menu items. So one menu item could have multiple users with each user having a different password. That gives you a little more granularity on who's allowed to access which operating systems or which partition or which volumes to boot off from. Now these usernames and passwords are not tied to the existing username

of 22

and passwords in the Linux operating system itself. These are separately defined unique usernames and passwords. But having unique users also allows you to be able to have some kind of auditing capability also on who's been trying to access what. So the username and passwords for GRUB2 are stored in our 00_header file.

/etc/grub.d

16

/etc/grub.d

00_header – reads /etc/default/grub

10_linux – loads menu entries for default installation

20_xxxx – other distributions

30_os-prober – scan hard disks for other OS’s

40_custom – create additional entries to boot menu

**016 Which is this number here. It reads /etc/default/grub; but it also is where we would write our username and passwords, or define our username and passwords. And this is the first one processed when update -grub is run.

of 22

And now we've defined those username and passwords, now all we have to do is assign those usernames into the individual files for the boot menu options that they apply to. So if we had a 21_windows7, we go into that script file and we add the users that are allowed to boot into Windows 7. So when a user boots a computer and he goes and selects Windows 7 from the menu option, he'll be required to put in a username and password; and if his username isn't one of the ones listed in the menu option in the script file, he's not going to be allowed to boot in. And also if he enters the wrong password he will not be able to boot in.

of 22


17


GRUB2 has made some security improvements to the way passwords are used to boot menu stanzas.

The process of setting a password, now takes 3 steps1. Authorized users must be identified;2. Passwords for the users must be delegated; and3. Menu entries must be modified to use the username/passwords.

There have been several problems/bugs with using GRUB2 passwords on various distributions including Red Hat and Ubuntu.

• Because of these bugs, showing the steps to implement password protection may be inaccurate.

**017 GRUB2 is still considered buggy by quite a few people on the internet and in general. There's several different implementations. Right now GRUB2 is buggy with Red Hat based Linux's. So that's why it still comes with legacy GRUB. So there's been some compatibility issues, some general growing pains, established with GRUB2. So there's been different ways of implementing it. So that's why we didn't go into the exact detailed steps of implementing the password.

of 22

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

of 22

linux grand unified bootloader (grub) · 2018. 11. 30. · very first sections of your hard drive ....

Documents