6.2. Rooting Out the Bootloader
There are two major bootloaders associated with Linux: GRUB and LILO. If you have a problem with a bootloader, it's important to know how to go through the associated configuration files with a fine-tooth comb.
6.2.1. Managing GRUB
The Grand Unified Bootloader (GRUB) has become something of a standard in Linux. It's the default for Red Hat/Fedora, SUSE, and Debian. As you might expect, there are differences in the way it's configured on different distributions. For example, while Red Hat/Fedora uses grub.conf, SUSE and Debian use menu.lst. In either case, the file is stored in the /boot/grub directory.
GRUB typically comes in three stages, known as 1, 1.5, and 2. Stage 1 is a pointer from the MBR to the boot sector of the hard drive. Control is transferred to stage 1.5, associated with /boot/grub/*1_5 files. Control is then taken by stage 2, which displays the menu and options as defined in the main GRUB configuration file.
When you read the GRUB configuration file, be aware that many GRUB numbers start with 0. For example, the first partition on the first SCSI or SATA hard drive is known as sd(0,0), the second partition on the first SCSI or SATA hard drive is sd(0,1), and so on. In addition, default=0 defers to the first kernel stanza in the file. Because we're just diagnosing the standard versions of this file, I won't examine too many special directives within GRUB.
Both Red Hat/Fedora and SUSE include special directives that go over and above the standard GRUB directives as defined by its author, the Free Software Foundation. For more information, see http://www.gnu.org/software/grub.
184.108.40.206. Red Hat's GRUB
The following is an excerpt from my Red Hat Enterprise Linux 3 version of the GRUB configuration file, with comments:
password --md5 $$1$7/P7g0$eJKez1Tddjfl498.!kd. default=0 timeout=10
This GRUB menu is password-protected. If the user doesn't select an available option, GRUB boots the operating system associated with the first stanza (default=0) after 10 seconds. If you have a second stanza and wanted to make that the default, you'd set default=1.
Red Hat displays its own version of the GRUB menu as a splash image. It's located in the /boot directory, which happens to be on the first IDE hard drive, on the second primary partition (hd0,1).
title Red Hat Enterprise Linux ES (2.4.21-15.EL) root (hd0,1)
It's easy to get confused here. The root directive has two meanings in GRUB. By itself, it refers to the partition associated with the /boot directory. When used with the kernel or initrd directives, root refers to the actual root directory (/) on your filesystem.
kernel /vmlinuz-2.4.21-15.EL ro root=LABEL=/ hdd=ide-scsi initrd /initrd-2.4.21-15.EL.img
The kernel directive defines the kernel to load. In this case, it's the /boot/vmlinuz-2.4.21-15.EL.img file. The Initial RAM disk (initrd) file loads a read-only filesystem (ro) into RAM, before Linux loads drivers and other modules.
If you have multiple kernels, you may have more than one Linux stanza. Here is a sample alternative stanza:
title Red Hat Enterprise Linux ES (2.4.21-20.EL) password --md5 $1$9U66g0$nFbkwahtdojv2JXLIEj7i1 root (hd0,1) kernel /vmlinuz-2.4.21-20.EL ro root=LABEL=/ hdd=ide-scsi initrd /initrd-2.4.21-20.EL.img
You'll note that the contents of this stanza are nearly identical to the directives shown at the start of this section; besides the password protection, only the version number of the kernel and Initial RAM disk have changed. A Linux geek who is testing a new kernel on a user's workstation may want to protect that new kernel with a password. I'll show you how you can create an encrypted password shortly.
220.127.116.11. SUSE and GRUB
If you're unfamiliar with GRUB, read the previous section on the Red Hat GRUB configuration file for basic information. In general, SUSE discourages manual configuration of files such as the GRUB configuration file. Nevertheless, understanding the directives in the file can help you diagnose any problems that may arise. SUSE uses a slightly different set of configuration files. It starts with the /boot/grub/device.map file, which translates the GRUB name for the hard drive (hd0) to the Linux device name for that drive (/dev/hda):
SUSE continues with a simplified /etc/grub.conf configuration file, designed to set the stage for installing the bootloader. My version includes the following directives:
In this case, (hd0,6) refers to the main root directory, associated with partition device /dev/hda5.
install --stage2=/boot/grub/stage2 /boot/grub/stage1 (hd0) \ /boot/grub/stage2 0x8000 (hd0,6)/boot/grub/menu.lst quit
The install directive takes control from the bootloader. Once the filesystem files in /boot/grub are installed, the file hands over control to the menu.lst configuration file. The following are the basic directives from my version of this file:
color white/blue black/light-gray default 0 timeout 8
These directives set up a color scheme. They also configure the first stanza as the default, which is started automatically if there's no user input within eight seconds.
gfxmenu (hd0,6)/boot/message password linux4me
The SUSE-designed splash menu is known as gfxmenu. If you use YaST to edit GRUB, you won't be able to enter an encrypted password. You can still use the grub-md5-crypt command to encode an MD5-encrypted password, as I described in "Password-protecting GRUB," earlier in this chapter.
title SUSE LINUX 9.2 kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 vga=0x314 selinux=0 \ splash=silent resume=/dev/hda6 desktop elevator=as showopts initrd (hd0,6)/boot/initrd
This stanza configures the default SUSE 9.2 installation. The kernel root directory is (hd0,6), also known as /dev/hda7. The Linux kernel is associated with the /boot/vmlinuz file (which happens to be linked to the actual kernel). The vga=0x314 option forces 800 x 600 resolution (easier on my eyes). As shown by selinux=0, security-enhanced Linux policies are disabled.
As with the latest Red Hat installations, SUSE hides the hardware detection and service start messages (splash=silent). The resume option specifies the swap partition. The elevator=as option defines a kernel access algorithm to the hard disk. (For more information on this algorithm, load the kernel source code and read the as-iosched.txt file in the /usr/src/linux/Documentation/block directory.) The showopts option lists boot options on the GRUB command line.
Finally, the initrd directive starts the Initial RAM disk. It's listed on partition /dev/hda7, in the /boot directory.
SUSE includes a fail-safe stanza by default:
title Failsafe -- SUSE LINUX 9.2 kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 showopts ide=nodma \ apm=off acpi=off vga=normal noresume selinux=0 barrier=off \ nosmp noapic maxcpus=0 3 initrd (hd0,6)/boot/initrd
The kernel command line includes additional options that are straightforward. DMA is disabled for IDE devices. APM and ACPI power management are both disabled. No special VGA options are noted. No applications are suspended to the swap partition (noresume). Symmetric multiprocessing, APIC (Advanced Programmable Interrupt Controller), and the use of multiple CPUs are disabled. Finally, the kernel is set to start in runlevel 3.
18.104.22.168. Debian's GRUB
Debian's GRUB bootloader is quite similar to SUSE's. Both use the /boot/grub/menu.lst configuration file. Just as you can configure the SUSE GRUB bootloader with YaST, you can configure the Debian GRUB bootloader with the update-grub command, which reads kernels listed in the /boot directory.
But a Linux geek learns the code within the configuration files. The standard Debian (Sarge) menu.lst file is well commented. For this annoyance, I'll examine a portion of the directives from my own Debian menu.lst file. It starts with the same standard commands as other GRUB bootloaders:
default 1 timeout 5 color cyan/blue white/blue password --md5 $1$7/P7g0$eJKez1Tddjfl498.!kd
If you've read the previous two sections on the Red Hat and SUSE versions of GRUB, you should be familiar with these directives. The default 1 directive points to the second stanza; it's automatically booted if there's no user input within five seconds. A typical blue color scheme is defined for the boot menu, and the menu is password-protected.
If you want to make the user's previously selected boot option the default, change default 1 to default saved. It works with the savedefault directive later in the file.
title Debian GNU/Linux, kernel 2.6.8-1-386 root (hd0,4)
This illustrates a /boot directory on the first IDE hard drive, on the fifth partition, which is also known as /dev/hda5.
kernel /vmlinuz-2.6.8-1-386 root=/dev/hda6 ro
The kernel directive cites the kernel to load from the /boot directory, followed by the partition with the real top-level root directory.
The initrd directive loads the Initial RAM disk from /boot/initrd.img-2.6.8-1-386.
The savedefault directive works only in conjunction with a default saved directive earlier in this file. With savedefault, if a user selects this operating-system stanza, it becomes the default the next time this computer is rebooted.
The boot directive, which uses all defaults because it bears no options, proceeds to boot Linux with the given parameters in the stanza.
6.2.2. Working with LILO
The LILO bootloader has fallen out of favor. It's not as easily customizable as GRUB, and it doesn't offer a command interface during the boot process. It does not support encrypted passwords. However, it's often the only bootloader that works with many different SCSI disks, so it is still in fairly common use.
LILO can be protected with two commands:
The first command, when alone, requires users to enter a password to boot an operating system. When you add the second directive (restricted), it keeps crackers from entering a command such as init=/bin/sh at the boot prompt, where they could then change the root password.
As LILO can recognize only passwords in clear text, you should limit read and write access to the root user with a command such as:
chmod 600 /etc/lilo.conf
Once you've added the commands of your choice to /etc/lilo.conf, you'll need to write it to the MBR with the /sbin/lilo command.
Red Hat and Fedora distributions try to make it easy to convert from GRUB to LILO. They include a template configuration file, which you can find in /etc/lilo.conf.anaconda, based on the operating systems detected during installation.