設定GRUB 密碼(LAB)

•  類別 : [TMLDP] [System Administrator] [Advance ] [LAB]

• 主題 : 設定 GRUB 密碼
  
  
• 適用發行版 : RedHat 系列發行版 ( RHEL、CentOS、Fedora...)、Ubuntu
  ※尚未實測其他發行版
  
  
• LAB 環境 : CntOS 5.5
  
  
• 要進行這個測試你需要知道，

1. GRUB 設定檔管理
2. 如何使用 vi Text Editr 進行文字檔編輯
3. 如何進行串流重導

• 相關主題 : [The GRUB Boot Loader] [Stream、Redirection、Filter and Pipes]                   [The vi Text Editor] 

• 實驗要求 :

1. 設定 GRUB 密碼為 PassWord
2. 設定預設開機選項的密碼為PassWd

• 操作步驟 :

STEP 1. 使用grub-md5-crypt 命令產生 MD5加密密碼字串

[root@lab-2 ~]# grub-md5-crypt >> /boot/grub/grub.conf <<EOF > PassWord > PassWord > EOF stty: standard input: Inappropriate ioctl for device stty: standard input: Inappropriate ioctl for device [root@lab-2 ~]# grub-md5-crypt >> /boot/grub/grub.conf <<EOF > PassWd > PassWd > EOF stty: standard input: Inappropriate ioctl for device stty: standard input: Inappropriate ioctl for device [root@lab-2 ~]# cat /boot/grub/grub.conf | tail -6 Password: Retype password: $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/ Password: Retype password: $1$bEcRt/$SSB74/27o5f0fnEONbjGW. [root@lab-2 ~]#

STEP 2. 使用 vi 開啟 /boot/grub/grub.conf

[root@lab-2 ~]# vi /boot/grub/grub.conf # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/hdb2 # initrd /initrd-version.img #boot=/dev/hdb default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.18-194.26.1.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.26.1.el5.img title CentOS (2.6.18-194.17.4.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.17.4.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.17.4.el5.img title CentOS (2.6.18-194.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.el5.img Password: Retype password: $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/ Password: Retype password: $1$bEcRt/$SSB74/27o5f0fnEONbjGW.

STEP 3. 設定 GRUB 密碼為 PassWord

#boot=/dev/hdb default=0 timeout=5 password --md5 $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/ <--- 加這一行 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu

          STEP 4. 設定預設開機選項密碼為 PassWd

hiddenmenu title CentOS (2.6.18-194.26.1.el5) lock <-- 加上這一行跟下一行 password --md5 $1$bEcRt/$SSB74/27o5f0fnEONbjGW. root (hd0,0) kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.26.1.el5.img

         ※修改後的/boot/grub/grub.conf 內容

# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/hdb2 # initrd /initrd-version.img #boot=/dev/hdb default=0 timeout=5 password --md5 $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/ splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.18-194.26.1.el5) lock password --md5 $1$bEcRt/$SSB74/27o5f0fnEONbjGW. root (hd0,0) kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.26.1.el5.img title CentOS (2.6.18-194.17.4.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.17.4.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.17.4.el5.img title CentOS (2.6.18-194.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.el5.img

STEP 5. 存檔後重啟系統

STEP 6. 驗證(一)

由於GRUB 已經設定了密碼保護，需先輸入 'p'

             

                     再輸入密碼後，才能進行其他作業

                      STEP 7. 驗證(二)

                                等待讀秒完畢，進入預設開機選項

                                 由於已經設定了GRUB 密碼，無法直接進入預設開機選項 

                               需先輸入'p'，再輸入GRUB 密碼

                                 才能選取開機項目

                                由於這邊所選取的開機項目已設定個別開機選項密碼，
                                故需再輸入個別開機選項密碼才能進行後續開機作業

The GRUB Boot Loader - 設定 GRUB 密碼

The GRUB Boot Loader - 設定 GRUB 密碼

類別 : [TMLDP] [Systm Administration] [Advance]

    若要避免惡意使用者於開機期間藉由修改核心啟動參數以單人模式免密碼登入系統，可以設定GRUB 密碼保護。

    設定GRUB 密碼後，當使用者於開機期間嘗試開啟GRUB 編輯器修改GRUB 開機選單內容，例如加上其他核心啟動參數時，就必須輸入密碼才可以進行變更。


    要設定GRUB 設定檔密碼需要使用『grub-md5-crypt』命令先產生一組經  MD5 (Messag-Difest algorithm 5) 雜湊加密演算法加密的密碼字串。


    於GRUB 的設定檔(/boot/grub/grub.conf)的主要設定區中加入下列設定，

#boot=/dev/hdb default=0 timeout=5 passwd --md5 <加密密碼字串>

    若要針對個別開機選項設定密碼則除了要於個別開機選項設定區加上上述的『passwd --md5 <加密密碼字串>』外，還需要加上『lock』，

title CentOS (2.6.18-194.26.1.el5) lock passwd --md5 <加密密碼字串> root (hd0,0) kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.18-194.26.1.el5.img

      設定GRUB 密碼(LAB)

  

同時新增多組帳號及Disk Quota limit的實驗 (四)

• LAB C :
  
  
  7. 在 /dev/hda5 啟動 Disk Quota limit。
  8. 實施Disk Quota limit 於usrer1 及 user2 兩個使用者帳號。
  9. /dev/hda5 的 soft limit 為20MB，hard limit 為 30 MB。
  10. usrer1 及 user2 兩個使用者帳號的家目錄Disk Quota limit 如下，soft limit 為10MB，hard limit 為 20 MB。

• 操作步驟 :
  
  
  STEP 1. 於/home 所在檔案系統加上usrquota、grpquota 掛載選項  
  

  [root@lab-2 /]# mount -o remount,usrquota,grpquota / [root@lab-2 /]# mount | grep hdb2 /dev/hdb2 on / type ext3 (rw,usrquota,grpquota)

STEP 2. 建立配額資料庫

[root@lab-2 ~]# quotacheck -ugvm / quotacheck: Scanning /dev/hdb2 [/] done quotacheck: Checked 15168 directories and 137285 files [root@lab-2 ~]# quotacheck -ugvm /media/hdb5/ quotacheck: Scanning /dev/hdb5 [/media/hdb5] done quotacheck: Checked 3 directories and 4 files [root@lab-2 ~]#

          ※  第一次執行時因為 / 及 /media/hdb5 目錄中均無配額資料庫檔 aquota.user、

                 aquota.group 所以會出現錯誤訊息，然後系統會自動產生配額資料庫檔

[root@lab-2 ~]# quotacheck -ugvm / quotacheck: Scanning /dev/hdb2 [/] done quotacheck: Checked 15168 directories and 137285 files [root@lab-2 ~]# quotacheck -ugvm / quotacheck: Scanning /dev/hdb2 [/] quotacheck: Cannot stat old user quota file: No such file or directory quotacheck: Cannot stat old group quota file: No such file or directory quotacheck: Cannot stat old user quota file: No such file or directory quotacheck: Cannot stat old group quota file: No such file or directory done quotacheck: Checked 15168 directories and 137283 files quotacheck: Old file not found. quotacheck: Old file not found. [root@lab-2 ~]# quotacheck -ugvm /media/hdb5/ quotacheck: Scanning /dev/hdb5 [/media/hdb5] quotacheck: Cannot stat old user quota file: No such file or directory quotacheck: Cannot stat old group quota file: No such file or directory quotacheck: Cannot stat old user quota file: No such file or directory quotacheck: Cannot stat old group quota file: No such file or directory done quotacheck: Checked 3 directories and 2 files quotacheck: Old file not found. quotacheck: Old file not found. [root@lab-2 ~]# ls -l /aquota.* /media/hdb5/aquota.* -rw------- 1 root root 8192 Dec 9 01:39 /aquota.group -rw------- 1 root root 11264 Dec 9 01:39 /aquota.user -rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.group -rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.user

STEP 3. 啟動Disk Quota

[root@lab-2 ~]# quotaon / /media/hdb5

STEP 4. 設定 user1 及 user2 的 Disk Quota limit

[root@lab-2 /]# edquota -u user1 Disk quotas for user user1 (uid 506): Filesystem blocks soft hard inodes soft hard /dev/hdb2 76 10240 20480 10 0 0 /dev/hdb5 0 30720 40960 0 0 0 [root@lab-2 /]# edquota -u user2 Disk quotas for user user2 (uid 507): Filesystem blocks soft hard inodes soft hard /dev/hdb2 76 10240 20480 10 0 0 /dev/hdb5 0 30720 40960 0 0 0

STEP 5. 變更 /media/hdb5 的目錄權限，使 user1 及 user2具檔案新增權限，並確認user1

及 user2 的家目錄權限

[root@lab-2 ~]# ls -ld /media/hdb5/ drwxr-xr-x 3 root root 1024 Dec 9 01:39 /media/hdb5/ [root@lab-2 ~]# chmod o+w /media/hdb5/ [root@lab-2 ~]# ls -ld /media/hdb5/ drwxr-xrwx 3 root root 1024 Dec 9 01:39 /media/hdb5/ [root@lab-2 /]# ls -ld /home/user1 drwx------ 3 user1 labuser 4096 Dec 6 14:40 /home/user1 [root@lab-2 /]# ls -ld /home/user2 drwx------ 3 user2 labuser 4096 Dec 6 14:39 /home/user2

STEP 6. 測試 user1 Disk Quota limit 是否生效

[user1@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11 hdb2: warning, user block quota exceeded. 11+0 records in 11+0 records out 11534336 bytes (12 MB) copied, 0.0448105 seconds, 257 MB/s [user1@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11 hdb2: write failed, user block limit reached. dd: writing `file-2': Disk quota exceeded 9+0 records in 8+0 records out 9318400 bytes (9.3 MB) copied, 0.0372815 seconds, 250 MB/s [user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-1 bs=1M count=21 21+0 records in 21+0 records out 22020096 bytes (22 MB) copied, 0.156971 seconds, 140 MB/s [user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-2 bs=1M count=11 hdb5: warning, user block quota exceeded. 11+0 records in 11+0 records out 11534336 bytes (12 MB) copied, 0.0659443 seconds, 175 MB/s [user1@lab-2 ~]$ quota Disk quotas for user user1 (uid 506): Filesystem blocks quota limit grace files quota limit grace /dev/hdb2 20480* 10240 20480 12 0 0 /dev/hdb5 32900* 30720 40960 7days 2 0 0

STEP 7. 測試 user2 Disk Quota limit 是否生效

[user2@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11 hdb2: warning, user block quota exceeded. 11+0 records in 11+0 records out 11534336 bytes (12 MB) copied, 0.0328104 seconds, 352 MB/s [user2@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11 hdb2: write failed, user block limit reached. dd: writing `file-2': Disk quota exceeded 9+0 records in 8+0 records out 9318400 bytes (9.3 MB) copied, 0.0291954 seconds, 319 MB/s [user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-1 bs=1M count=21 21+0 records in 21+0 records out 22020096 bytes (22 MB) copied, 0.101413 seconds, 217 MB/s [user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-2 bs=1M count=11 hdb5: warning, user block quota exceeded. 11+0 records in 11+0 records out 11534336 bytes (12 MB) copied, 0.0535639 seconds, 215 MB/s [user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-3 bs=1M count=11 hdb5: write failed, user block limit reached. hdb5: write failed, user block limit reached. dd: writing `/media/hdb5/file-user2-3': Disk quota exceeded 8+0 records in 7+0 records out 8216576 bytes (8.2 MB) copied, 0.0546072 seconds, 150 MB/s [user2@lab-2 ~]$ quota Disk quotas for user user2 (uid 507): Filesystem blocks quota limit grace files quota limit grace /dev/hdb2 20480* 10240 20480 12 0 0 /dev/hdb5 40958* 30720 40960 6days 3 0 0

        

      同時新增多組帳號及Disk Quota limit的實驗 (一)   

      同時新增多組帳號及Disk Quota limit的實驗 (二)

      同時新增多組帳號及Disk Quota limit的實驗 (三)

      同時新增多組帳號及Disk Quota limit的實驗 (四)

同時新增多組帳號及Disk Quota limit的實驗 (三)

• LAB B :

4. 建立 檔案系統/dev/hda5(容量100MB)。
5. /dev/hda5的檔案系統格式為 ext3。
6. 將/dev/hda5 掛載到 /media/hda5。

• 操作步驟 :

         STEP 1. 確認硬碟裝置檔檔名

[root@lab-2 ~]# fdisk -l Disk /dev/hdb: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hdb1 * 1 13 104391 83 Linux /dev/hdb2 14 778 6144862+ 83 Linux /dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris

STEP 2. 執行 fdisk 劃分檔案系統

[root@lab-2 ~]# fdisk /dev/hdb

STEP 3. 執行 fdisk 劃分檔案系統

[root@lab-2 ~]# fdisk /dev/hdb

STEP 4. 新增延伸分割區 /dev/hdb4

Command (m for help): p Disk /dev/hdb: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hdb1 * 1 13 104391 83 Linux /dev/hdb2 14 778 6144862+ 83 Linux /dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris Command (m for help): n Command action e extended p primary partition (1-4) e Selected partition 4 First cylinder (910-1044, default 910): Using default value 910 Last cylinder or +size or +sizeM or +sizeK (910-1044, default 1044): Using default value 1044 Command (m for help): p Disk /dev/hdb: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hdb1 * 1 13 104391 83 Linux /dev/hdb2 14 778 6144862+ 83 Linux /dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris /dev/hdb4 910 1044 1084387+ 5 Extended

STEP 5. 新增邏輯分割區 /dev/hdb5(容量 100MB)

Command (m for help): n First cylinder (910-1044, default 910): Using default value 910 Last cylinder or +size or +sizeM or +sizeK (910-1044, default 1044): +100M Command (m for help): p Disk /dev/hdb: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hdb1 * 1 13 104391 83 Linux /dev/hdb2 14 778 6144862+ 83 Linux /dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris /dev/hdb4 910 1044 1084387+ 5 Extended /dev/hdb5 910 922 104391 83 Linux

STEP 6. 儲存變更後的Partition Table並使用 partprobe 進行同步作業使New Partition Table 生效

(或重啟系統使New Partition Table 生效)

Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks. You have new mail in /var/spool/mail/root [root@lab-2 ~]# partprobe

STEP 7. 將 /dev/hdb5 格式化為 ext3 檔案系統

[root@lab-2 ~]# mkfs -t ext3 /dev/hdb5 mke2fs 1.39 (29-May-2006) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 26104 inodes, 104388 blocks 5219 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=67371008 13 block groups 8192 blocks per group, 8192 fragments per group 2008 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 31 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@lab-2 ~]# dumpe2fs /dev/hdb5 | grep 'Filesystem features:' dumpe2fs 1.39 (29-May-2006) Filesystem features: has_journal resize_inode dir_index filetype sparse_super [root@lab-2 ~]#

STEP 8. 建立掛載點 /media/hdb5

[root@lab-2 ~]# ls -ld /media/hdb5 ls: /media/jdb5: No such file or directory [root@lab-2 ~]# mkdir /media/hdb5 [root@lab-2 ~]# ls -ld /media/hdb5 drwxr-xr-x 2 root root 4096 Dec 6 15:21 /media/hdb5

STEP 9. 將/dev/hdb5 掛載到 /media/hdb5 並確認掛載選項正確

[root@lab-2 ~]# mount -t ext3 -o usrquota,grpquota /dev/hdb5 /media/hdb5/ [root@lab-2 ~]# mount | grep hdb5 /dev/hdb5 on /media/hdb5 type ext3 (rw,usrquota,grpquota)

同時新增多組帳號及Disk Quota limit的實驗 (一)   

同時新增多組帳號及Disk Quota limit的實驗 (二)

同時新增多組帳號及Disk Quota limit的實驗 (三)

同時新增多組帳號及Disk Quota limit的實驗 (四)