NOTE: This is an older tutorial and is focused towards GRUB 0.97, not Grub2
After you have installed Ubuntu (or some other distributions that use Grub as their boot loader*), there are a few extra steps that you can take to ensure that your Linux installation is more secure.
The first section explains the insecurities of the boot menu and the second section explains how to secure it.
* ArchLinux reportedly doesn't have this issue.
1. The Problem
By default, anyone with physical access to your system has the ability to reboot the machine and gain administrative (root) access to your file system. No authentication is needed.
The GRUB boot menu you see after a clean Ubuntu install looks like this:
NOTE: You may see additional entries if you are dual-booting another operating system.
This menu acts as follows, if you select:
- the first entry (default), you will boot to your Ubuntu login screen
- the second entry (recovery mode) you will boot into a root shell, which allows you full administrative access to your system
- the third entry (memtest32+), you will boot into a memory testing application. (this entry will be ignored for the remainder of this tutorial, as I am not aware of any security issues this may pose)
There are two issues with this menu that make it insecure:
- the recovery mode entry boots into an administrative (root) shell with full access to your system. It does this with no authentication. (in the wrong hands, this could lead to stolen or deleted data, or the entire operating system could be destroyed)
- the default entry can be made as insecure as recovery mode simply by passing the word single as a kernel parameter. Again, no authentication is needed to perform this action.
How Are Kernel Parameters Passed Via The Boot Menu?
We already know that recovery mode boots into a root shell with no kernel parameters or authentication needed (if you don't believe it, give it a try), but how do we make the default entry perform the same action.
As simple as this:
- Highlight the default entry in the boot menu
- Press 'e' to edit boot commands
- Highlight the line that begins "kernel /boot/vmlinuz...", and press 'e' again
- Type " single" (that is a SPACE and the word single, without the quotation marks added to the end of the existing string)
- Press Enter
- Press 'b' to boot
We have just booted into an administrative (root) shell, exactly as we would have had we selected the recovery mode entry.
I have just demonstrated that, by default, anyone with physical access to your computer can gain root privileges by simply rebooting and manipulating the Grub boot menu. That's the bad news. The good news is that it is easy to fix!
2. The Fix
(NOTE: I am writing this tutorial from the perspective of an Ubuntu 7.10 user, but the premise is the same on other distributions. Feel free to substitute your favorite Command Line and Text Editor programs as needed or as you see fit.)
Boot to your desktop as normal, and open a Terminal window (Applications -> Accessories -> Terminal)
The GRUB boot menu configuration file is located at /boot/grub/menu.lst, so let's open that file up in our text editor. In the Terminal window type:
Code:
gksudo gedit /boot/grub/menu.lst
then enter your password when prompted and a file similar to this should open:
Code:
# menu.lst - See: grub(8), info grub, update-grub(8)
# grub-install(8), grub-floppy(8),
# grub-md5-crypt, /usr/share/doc/grub
# and /usr/share/doc/grub-doc/.
## default num
# Set the default entry to the entry number NUM.
Numbering starts from 0, and
# the entry number 0 is the default if the command is
not used.
#
# You can specify 'saved' instead of a number. In this
case, the default entry
# is the entry saved with the command 'savedefault'.
# WARNING: If you are using dmraid do not use
'savedefault' or your
# array will desync and will not let you boot your
system.
default 0
## timeout sec
# Set a timeout, in SEC seconds, before automatically
booting the default entry
# (normally the first entry defined).
timeout 3
## hiddenmenu
# Hides the menu by default (press ESC to see the
menu)
hiddenmenu
# Pretty colours
#color cyan/blue white/blue
## password ['--md5'] passwd
# If used in the first section of a menu file, disable
all interactive editing
# control (menu entry editor and command-line) and
entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
#
# examples
#
# title Windows 95/98/NT/2000
# root (hd0,0)
# makeactive
# chainloader +1
#
# title Linux
# root (hd0,1)
# kernel /vmlinuz root=/dev/hda2 ro
#
#
# Put static boot stanzas before and/or after
AUTOMAGIC KERNEL LIST
### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers
will be modified
## by the debian update-grub script except for the
default options below
## DO NOT UNCOMMENT THEM, Just edit them to your needs
## ## Start Default Options ##
## default kernel options
## default kernel options for automagic boot options
## If you want special options for specific kernels
use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can
be omitted.
## e.g. kopt=root=/dev/hda1 ro
## kopt_2_6_8=root=/dev/hdc1 ro
## kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85
ro
## Setup crashdump menu entries
## e.g. crashdump=1
# crashdump=0
## default grub root device
## e.g. groot=(hd0,0)
# groot=(hd0,1)
## should update-grub create alternative automagic
boot options
## e.g. alternative=true
## alternative=false
# alternative=true
## should update-grub lock alternative automagic boot
options
## e.g. lockalternative=true
## lockalternative=false
# lockalternative=false
## additional options to use with the default boot
option, but not with the
## alternatives
## e.g. defoptions=vga=791 resume=/dev/hda5
# defoptions=quiet splash
## should update-grub lock old automagic boot options
## e.g. lockold=false
## lockold=true
# lockold=false
## Xen hypervisor options to use with the default Xen
boot option
# xenhopt=
## Xen Linux kernel options to use with the default
Xen boot option
# xenkopt=console=tty0
## altoption boot targets option
## multiple altoptions lines are allowed
## e.g. altoptions=(extra menu suffix) extra boot
options
## altoptions=(recovery) single
# altoptions=(recovery mode) single
## controls how many kernels should be put into the
menu.lst
## only counts the first occurence of a kernel, not
the
## alternative kernel options
## e.g. howmany=all
## howmany=7
# howmany=all
## should update-grub create memtest86 boot option
## e.g. memtest86=true
## memtest86=false
# memtest86=true
## should update-grub adjust the value of the default
booted system
## can be true or false
# updatedefaultentry=false
## should update-grub add savedefault to the default
options
## can be true or false
# savedefault=false
## ## End Default Options ##
title Ubuntu 7.10, kernel 2.6.22-14-generic
root (hd0,1)
kernel /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro
quiet splash
initrd /boot/initrd.img-2.6.22-14-generic
quiet
title Ubuntu 7.10, kernel 2.6.22-14-generic (recovery
mode)
root (hd0,1)
kernel /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro
single
initrd /boot/initrd.img-2.6.22-14-generic
title Ubuntu 7.10, memtest86+
root (hd0,1)
kernel /boot/memtest86+.bin
quiet
### END DEBIAN AUTOMAGIC KERNELS LIST
(NOTE:Again, you may see additional entries if you are dual-booting another operating system.)
We won't need to worry about most of this file, but there are 2 sections that need to be edited to secure the boot loader. We will edit the password section first, but before that we must take one detour and create an encrypted password:
Select the Terminal window and open a new tab (File -> New tab).
In the new tab type:
and a grub> prompt will open. At the grub> prompt type:
then type the password you want to use to secure your boot loader. Grub will display an encrypted string. This is your password in encrypted form.
Highlight the encrypted string, then copy (SHIFT+CRTL+C) it to the clipboard.
Then type:
to exit the Grub prompt.
Now, let's go back into the menu.lst file that is open in your text editor, and find the password section that looks like this:
Code:
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
and add a new line directly below as follows (Paste the encrypted string from the clipboard (Edit -> Paste):
Code:
password --md5 <encrypted password>
where <encrypted password> is the password you created in the last section.
So, your password section should now look like this:
Code:
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
password --md5 $1$xcLiO$4czPGUKIdo5e8Vi3nIpme0
Half of our problems are now fixed (or they will be once the file is saved), as you can no longer pass kernel parameters without supplying your password first.
We still need to deal with the ability to boot into recovery mode without a password because, remember...we don't need to change any kernel parameters to do that, we just select the entry and press Enter.
Here's how we fix that:
In the menu.lst file, find the menu options that looks like this (they should be at the bottom of the file):
Code:
title Ubuntu 7.10, kernel 2.6.22-14-generic
root (hd0,1)
kernel /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro quiet splash
initrd /boot/initrd.img-2.6.22-14-generic
quiet
title Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root (hd0,1)
kernel /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro single
initrd /boot/initrd.img-2.6.22-14-generic
title Ubuntu 7.10, memtest86+
root (hd0,1)
kernel /boot/memtest86+.bin
quiet
### END DEBIAN AUTOMAGIC KERNELS LIST
and add the lock command to the recovery mode entry so it looks like this:
Code:
title Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root (hd0,1)
lock
kernel /boot/vmlinuz-2.6.22-14-generic
root=UUID=e6e6fe4f-6c0f-46e5-8a40-b45225220a85 ro single
initrd /boot/initrd.img-2.6.22-14-generic
The lock command requires that a password be entered before you can boot to that entry. You can add the lock command to any entry in the Boot menu if you wish to restrict who can boot to it.
Now save the menu.lst file (File -> Save) and exit (File -> Quit)
As an added precaution, it's also a good idea to change the permissions of the menu.lst file so that only root (and you through the sudo command) can view the file. By default it is readable and writeable by root (the owner), and readable by everyone else, as demonstrated by typing the following in a terminal window:
Code:
ls -la /boot/grub/menu.lst*
(NOTE: I use the * here because there is also a backup of the file in the same directory.)
To make the desired change type the following at the terminal window:
Code:
sudo chmod 600 /boot/grub/menu.lst*
Enter your password if prompted, then rerun:
Code:
ls -la /boot/grub/menu.lst*
to verify that the desired changes have been made.
3. Verifying the Changes
Congratulations, we are done securing the GRUB boot loader! Now let's reboot and look at the what a difference our changes have made.
When we reboot, we see the boot menu has changed a little
it now advises us to press Enter to boot the selected OS, or press 'p' to enter a password and unlock the next set of features. We can still boot into the default entry as normal, but we cannot add kernel parameters without first entering our password.
Likewise, if we try to boot into recovery mode without first entering our password we are greeted with an error:
which is exactly what we want to see. Now our Linux box is a little more secure (see note below) against threats by people who have physical access to our machine.
Please Note: While this procedure makes your system a little more secure it does not prevent someone who has time to physically work at your machine from getting past it. This procedure makes it harder and slows an opportunistic attacker down, but given even ten minutes unattended they can get past this by booting through a Live CD or removing the hard drive and putting it into another computer. This is meant more to prevent someone from doing damage in under 60-seconds. To slow them a even a little further make sure to remove CD from your boot options in the system BIOS. Be aware, that this can also easily be bypassed by someone who is left unattended with your computer.
While I won't cover it in this how-to, you may want to also look into disk encryption to better safeguard your data.
Bookmarks