Ubuntu Tutorials

Today’s post isn’t so much a tutorial but more of a discussion or educational topic on grub.  It was inspired by the original post here and continued discussion in the comments.  I thought I would outline some suggestions on securing the grub boot loader and why Ubuntu adding a “rescue mode” entry in grub is not a security flaw and is really not any less secure than any other distribution.

(based on how long this entry has become I added the split post.  If you’d like to read a long entry, click read more.  If you’re not in the mood for a 10min read, relax and forget it.)

To understand this you’ll need to be familiar with Linux runlevels.  There are six default runlevels in the Linux base system.

0 (zero) is basically the shutdown runlevel.

1 (one) is single user mode.

2 (two) is a multi-user mode, minus NFS support.

3 (three) is a multi-user, command line based mode.

4 (four) user-defined / undefined.

5 (five) multi-user, graphical mode.  This is generally the default runlevel on desktop / laptop machines.

6 (six) is basically the reboot runlevel.

For the most part you don’t often use runlevel 1 or 2, primarily only use 3 on servers and 0 and 6 are used when you shutdown or reboot the machine.  5 is most likely the default on your system now.

The reason that I outline this topic in relation to grub, security and “rescue mode” is that the option included in Ubuntu for “rescue mode” is basically just an entry that boots the machine into runlevel 1 instead of the default 5.

The default behaviour for runlevel 1 is to boot to a basic shell, not require a login and allow the user to do recovery or maintenance.  Some people feel that this is a security flaw and that allowing root access to a machine via an entry in grub is simply absurd.  This same access can be achieved on most Linux distributions.

If you’d like to try it yourself (yes, this also applies to Fedora, RHEL, etc) boot your machine and press a key at grub.  You should see a menu for your available kernels and can boot any of them by selecting them and pressing ENTER.

You’ll also notice a small paragraph of command tips below the menu.  This outline explains that you can edit grub entries within this interface by pressing ‘e’ or ‘a’ to append to the entry.  To boot your machine to the “recovery mode” that Ubuntu creates simply ‘a’ (to append) and add one of the following to the kernel line: 1, s, S, or single.  These options will boot your machine to runlevel 1 or single user mode, give you a shell prompt for maintenance or recovery and not prompt you for a password.

Again, this can be done on most other distributions.  It is not limited to Ubuntu and is not a security flaw.  It is built this way to allow a user to recover a lost password, update or recover configuration files, and otherwise fix an unbootable machine.

Now that we understand that the system is designed this way and this access can be granted on most any machine you have local access to we might want to discuss how to lock down the grub system to not allow grub editing.  Securing grub will, of course, further harden your machine from this potential threat but also lock you out of recovery if you forget the passphase to access grub.

Now if you decide you’d like to lockdown grub to not allow any editing you’ll need to edit the /boot/grub/menu.lst file.  This file includes any available bootable kernels you have, the Ubuntu recovery mode entries, memtest86+ and any other OS you have setup.  Most of this file is pretty straight forward, but because of the method Debian/Ubuntu use to update this file you need to make updates in certain places.  If these changes are not made in the right place they will be overwritten the next time you update your kernel.

There is an AUTOMATIC KERNELS LIST section which builds the basis for your kernel updates within grub.  We don’t need to edit anything within this section (as it will be overwritten on the next update anyway).  What we can do though, is update some of the global options that you see near the top of the file.  These include the ‘default’ value, ‘timeout’ and ‘hidemenu’.   These don’t offer any security though.  What we can add is a password entry that will limit any grub updates or alteration without the password.

The first step to do this is run the ‘grub-md5-crypt’ command.  This will generate an md5 hash of a password of your choice which can be then added to grub.

Add a line entry in grub (anywhere in the same area of the options mentioned above) using the following syntax:

password --md5 (two dashes md5) <hash>

replace <hash>, of course, with the hash value outputted by grub-md5-crypt.  You’ll end up with something like:

password --md5 $1$nL5d0$36n6u8TaxOX9guBdKaGFx0

At this point, since this password is at the top of the file and not specific to any one entry, (which can also be done by adding the same syntax to individual entries) any updates to grub will require this password.  At this point, even local access to the machine will require a password before being able to suggest an alternate runlevel or using Ubuntu’s “recovery mode”.

Your Linux machine is now one step closer to being a hardened gauntlet.  Enjoy.

Most of you have probably at least heard of “grub” but may not be completely familiar with it. What it does or how to make it work for you is quite another story for most people. I’d like to outline a few minor tweaks that anyone can make to grub to update their boot-time options.

Your grub config on an Ubuntu system is outlined at /boot/grub/menu.lst. There is quite a lot of commenting in that file so, if you take the time to read through, you’ll should be able to figure out quite a bit on your own. I want to outline a couple things that I often tweak within grub.

First and foremost you should make a backup of the file before you make any changes. As always, there is a chance that you could make errors in your changes and it’ll save your day if you’ve made a backup. Make a backup using a command like:

sudo cp /boot/grub/menu.lst /boot/grub/menu.lst-backup

After you’ve made your backup copy you’ll want to edit the file to make a few changes. You would do that using the following:

sudo gedit /boot/grub/menu.lst

Now we get to the fun stuff! What to look at and what to change? So many questions. Below are some of the settings that can be changed within grub and what they do.

default – allows you to specify the default grub listing. This defaults to 0 and you generally don’t need to change this.

timeout – allows you to change the countdown before grub automagically boots into the default listing. By default it should be set to 3 (seconds). If you need more time to choose the kernel or OS to boot into you can change this. Simply change the entry from:

timeout 3

to something like

timeout 10

or, of course speed things up, setting it at

timeout 1

hiddenmenu – allows you to specify whether or not your grub menu will be hidden at boot time. By default it is hidden and prompts you to press ESC to see the menu. If you would prefer to see the menu each time you boot simply comment out the line. Example, you would change:

hiddenmenu

to

# hiddenmenu

The file then moves into some commented code to show you examples of listing and the style and options you can set. Below that underneath

## ## End Default Options ##

you’ll see the kernels or OS’ that you have listed for your system. These break down into four main options. This is an example of my current listing for the 2.6.17-10-generic kernel:

title Ubuntu, kernel 2.6.17-10-generic

root (hd0,0)

kernel /boot/vmlinuz-2.6.17-10-generic root=/dev/hda1 ro quiet splash

initrd /boot/initrd.img-2.6.17-10-generic

quiet

savedefault

boot

A few of these settings are optional but the required options are:

title – this is the menu listing you will see at boot. You can change this to whatever you’d like. An example could be:

title Ubuntu - The best distro ever! (2.6.17-10-generic)

(the reason that I listed the kernel version is so I can tell future updates or other customizations apart from this. You generally want to run the latest kernel and, in certain situations, run a previous. It is generally a good idea to list the kernel version in whatever “nickname” you set for your grub listing title.)

root – this is where the root of the file systems is located.  Your partitions may be someplace on hda, but hd is the very root. You won’t want to change this but you might notice a difference if you’re running a dual-boot system.

kernel – the kernel option is where to find and what kernel to use for this option. If you create a custom kernel you’ll need to specify the path to that file. Or, in some situations you might be booting multiple distributions and in that case you’d need to specify the path to each kernel.

Also, the root option specifies the partition to find the distribution or OS files. This must be set correctly in order to find the kernel and other options.

ro, quiet and splash – these are optional but load the pretty splash screen that you see at boot time.

initrd – this loads the image that goes along with the kernel option above. The kernel (vmlinuz) and initrd (img) file are generally stored in the same place. Make sure that your paths match the exact file if you are customizing your menu.lst.
savedefault – this refers to the default option listed above. As this is our default option and latest kernel it is specified as such. If you take a look at your file you’ll notice the first listing is the only one with the savedefault option.
You should be a little bit more confident in tweaking your grub listing at this point. There isn’t a lot to it but it is one of the most critical system settings. If you ruin your grub file your system (or any system on your machine!) will not boot. Be careful with it but, as usual, your system is only as powerful as you are educated so take the time to know how your system runs. In most cases you wont need to edit grub, but for those of you feeling adventureous perhaps try to change the timeout setting or change the title for your options. Best way to learn is to try!

technorati tags:grub, boot, linux, ubuntu, breezy, dapper, edgy