2010年12月9日 星期四

設定GRUB 密碼(LAB)

  •  類別 : [TMLDP] [System Administrator] [Advance ] [LAB]
  • 主題 : 設定 GRUB 密碼

  • 適用發行版 : RedHat 系列發行版 ( RHELCentOSFedora...)、Ubuntu
    ※尚未實測其他發行版

  • LAB 環境 : CntOS 5.5

  • 要進行這個測試你需要知道,
  1. GRUB 設定檔管理
  2. 如何使用 vi Text Editr 進行文字檔編輯
  3. 如何進行串流重導
  • 相關主題 : [The GRUB Boot Loader] [StreamRedirectionFilter and Pipes]                   [The vi Text Editor] 
  • 實驗要求 :

  1. 設定 GRUB 密碼為 PassWord
  2. 設定預設開機選項的密碼為PassWd

  • 操作步驟 :

    STEP 1. 使用grub-md5-crypt 命令產生 MD5加密密碼字串
[root@lab-2 ~]# grub-md5-crypt >> /boot/grub/grub.conf <<EOF
> PassWord
> PassWord
> EOF
stty: standard input: Inappropriate ioctl for device
stty: standard input: Inappropriate ioctl for device
[root@lab-2 ~]# grub-md5-crypt >> /boot/grub/grub.conf <<EOF
> PassWd
> PassWd
> EOF
stty: standard input: Inappropriate ioctl for device
stty: standard input: Inappropriate ioctl for device
[root@lab-2 ~]# cat /boot/grub/grub.conf | tail -6
Password:
Retype password:
$1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/
Password:
Retype password:
$1$bEcRt/$SSB74/27o5f0fnEONbjGW.
[root@lab-2 ~]#
STEP 2. 使用 vi 開啟 /boot/grub/grub.conf
[root@lab-2 ~]# vi /boot/grub/grub.conf
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hdb2
# initrd /initrd-version.img
#boot=/dev/hdb
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.26.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.26.1.el5.img
title CentOS (2.6.18-194.17.4.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.17.4.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.17.4.el5.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.el5.img
Password:
Retype password:
$1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/
Password:
Retype password:
$1$bEcRt/$SSB74/27o5f0fnEONbjGW.



STEP 3. 設定 GRUB 密碼為 PassWord
#boot=/dev/hdb
default=0
timeout=5
password --md5 $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/ <--- 加這一行
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
          STEP 4. 設定預設開機選項密碼為 PassWd
hiddenmenu
title CentOS (2.6.18-194.26.1.el5)
lock <-- 加上這一行跟下一行
password --md5 $1$bEcRt/$SSB74/27o5f0fnEONbjGW.
root (hd0,0)
kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.26.1.el5.img

         ※修改後的/boot/grub/grub.conf 內容
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hdb2
# initrd /initrd-version.img
#boot=/dev/hdb
default=0
timeout=5
password --md5 $1$IrbRt/$k6kEGB8HK4bS8Q1TgIANu/
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.26.1.el5)
lock
password --md5 $1$bEcRt/$SSB74/27o5f0fnEONbjGW.
root (hd0,0)
kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.26.1.el5.img
title CentOS (2.6.18-194.17.4.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.17.4.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.17.4.el5.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.el5.img
STEP 5. 存檔後重啟系統

STEP 6. 驗證(一)



由於GRUB 已經設定了密碼保護,需先輸入 'p'

             


                     再輸入密碼後,才能進行其他作業



                      STEP 7. 驗證(二)

                                等待讀秒完畢,進入預設開機選項

                                 由於已經設定了GRUB 密碼,無法直接進入預設開機選項 

                               需先輸入'p',再輸入GRUB 密碼


                                 才能選取開機項目

                                由於這邊所選取的開機項目已設定個別開機選項密碼,
                                故需再輸入個別開機選項密碼才能進行後續開機作業






The GRUB Boot Loader - 設定 GRUB 密碼

類別 : [TMLDP] [Systm Administration] [Advance]

    若要避免惡意使用者於開機期間藉由修改核心啟動參數以單人模式免密碼登入系統,可以設定GRUB 密碼保護。

    設定GRUB 密碼後,當使用者於開機期間嘗試開啟GRUB 編輯器修改GRUB 開機選單內容,例如加上其他核心啟動參數時,就必須輸入密碼才可以進行變更。


    要設定GRUB 設定檔密碼需要使用『grub-md5-crypt』命令先產生一組經  MD5 (Messag-Difest algorithm 5) 雜湊加密演算法加密的密碼字串。


    於GRUB 的設定檔(/boot/grub/grub.conf)的主要設定區中加入下列設定,
#boot=/dev/hdb
default=0
timeout=5
passwd --md5 <加密密碼字串>

    若要針對個別開機選項設定密碼則除了要於個別開機選項設定區加上上述的『passwd --md5 <加密密碼字串>』外,還需要加上『lock』,

title CentOS (2.6.18-194.26.1.el5)
lock
passwd --md5 <加密密碼字串>

root (hd0,0)
kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.26.1.el5.img

      設定GRUB 密碼(LAB)

  

同時新增多組帳號及Disk Quota limit的實驗 (四)

  • LAB C :


    7. 在 /dev/hda5 啟動 Disk Quota limit
    8. 實施Disk Quota limit usrer1 user2 兩個使用者帳號。
    9. /dev/hda5 soft limit 20MBhard limit 30 MB。
    10. usrer1 user2 兩個使用者帳號的家目錄Disk Quota limit 如下,soft limit 10MBhard limit 20 MB。
  • 操作步驟 :


    STEP 1. 於/home 所在檔案系統加上usrquota、grpquota 掛載選項  
    [root@lab-2 /]# mount -o remount,usrquota,grpquota /
    [root@lab-2 /]# mount | grep hdb2
    /dev/hdb2 on / type ext3 (rw,usrquota,grpquota)

STEP 2. 建立配額資料庫
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] done
quotacheck: Checked 15168 directories and 137285 files
[root@lab-2 ~]# quotacheck -ugvm /media/hdb5/
quotacheck: Scanning /dev/hdb5 [/media/hdb5] done
quotacheck: Checked 3 directories and 4 files
[root@lab-2 ~]#

          ※  第一次執行時因為 / /media/hdb5 目錄中均無配額資料庫檔 aquota.user
                 aquota.group 所以會出現錯誤訊息,然後系統會自動產生配額資料庫檔
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] done
quotacheck: Checked 15168 directories and 137285 files
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
done
quotacheck: Checked 15168 directories and 137283 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[root@lab-2 ~]# quotacheck -ugvm /media/hdb5/
quotacheck: Scanning /dev/hdb5 [/media/hdb5] quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
done
quotacheck: Checked 3 directories and 2 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[root@lab-2 ~]# ls -l /aquota.* /media/hdb5/aquota.*
-rw------- 1 root root 8192 Dec 9 01:39 /aquota.group
-rw------- 1 root root 11264 Dec 9 01:39 /aquota.user
-rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.group
-rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.user

STEP 3. 啟動Disk Quota

[root@lab-2 ~]# quotaon / /media/hdb5

STEP 4. 設定 user1 user2 Disk Quota limit
[root@lab-2 /]# edquota -u user1
Disk quotas for user user1 (uid 506):
Filesystem blocks soft hard inodes soft hard
/dev/hdb2 76 10240 20480 10 0 0
/dev/hdb5 0 30720 40960 0 0 0
[root@lab-2 /]# edquota -u user2
Disk quotas for user user2 (uid 507):
Filesystem blocks soft hard inodes soft hard
/dev/hdb2 76 10240 20480 10 0 0
/dev/hdb5 0 30720 40960 0 0 0


STEP 5. 變更 /media/hdb5 的目錄權限,使 user1 user2具檔案新增權限,並確認user1
user2 的家目錄權限
[root@lab-2 ~]# ls -ld /media/hdb5/
drwxr-xr-x 3 root root 1024 Dec 9 01:39 /media/hdb5/
[root@lab-2 ~]# chmod o+w /media/hdb5/
[root@lab-2 ~]# ls -ld /media/hdb5/
drwxr-xrwx 3 root root 1024 Dec 9 01:39 /media/hdb5/
[root@lab-2 /]# ls -ld /home/user1
drwx------ 3 user1 labuser 4096 Dec 6 14:40 /home/user1
[root@lab-2 /]# ls -ld /home/user2
drwx------ 3 user2 labuser 4096 Dec 6 14:39 /home/user2

STEP 6. 測試 user1 Disk Quota limit 是否生效
[user1@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11
hdb2: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0448105 seconds, 257 MB/s
[user1@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11
hdb2: write failed, user block limit reached.
dd: writing `file-2': Disk quota exceeded
9+0 records in
8+0 records out
9318400 bytes (9.3 MB) copied, 0.0372815 seconds, 250 MB/s

[user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-1 bs=1M count=21
21+0 records in
21+0 records out
22020096 bytes (22 MB) copied, 0.156971 seconds, 140 MB/s
[user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-2 bs=1M count=11
hdb5: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0659443 seconds, 175 MB/s
[user1@lab-2 ~]$ quota
Disk quotas for user user1 (uid 506):
Filesystem blocks quota limit grace files quota limit grace
/dev/hdb2 20480* 10240 20480 12 0 0
/dev/hdb5 32900* 30720 40960 7days 2 0 0

STEP 7. 測試 user2 Disk Quota limit 是否生效
[user2@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11
hdb2: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0328104 seconds, 352 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11
hdb2: write failed, user block limit reached.
dd: writing `file-2': Disk quota exceeded
9+0 records in
8+0 records out
9318400 bytes (9.3 MB) copied, 0.0291954 seconds, 319 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-1 bs=1M count=21
21+0 records in
21+0 records out
22020096 bytes (22 MB) copied, 0.101413 seconds, 217 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-2 bs=1M count=11
hdb5: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0535639 seconds, 215 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-3 bs=1M count=11
hdb5: write failed, user block limit reached.
hdb5: write failed, user block limit reached.
dd: writing `/media/hdb5/file-user2-3': Disk quota exceeded
8+0 records in
7+0 records out
8216576 bytes (8.2 MB) copied, 0.0546072 seconds, 150 MB/s
[user2@lab-2 ~]$ quota
Disk quotas for user user2 (uid 507):
Filesystem blocks quota limit grace files quota limit grace
/dev/hdb2 20480* 10240 20480 12 0 0
/dev/hdb5 40958* 30720 40960 6days 3 0 0

同時新增多組帳號及Disk Quota limit的實驗 (三)

  • LAB B :
    4. 建立 檔案系統/dev/hda5(容量100MB)
    5. /dev/hda5的檔案系統格式為 ext3
    6. /dev/hda5 掛載到 /media/hda5
  • 操作步驟 :
         STEP 1. 確認硬碟裝置檔檔名
[root@lab-2 ~]# fdisk -l

Disk /dev/hdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hdb1 * 1 13 104391 83 Linux
/dev/hdb2 14 778 6144862+ 83 Linux
/dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris

STEP 2. 執行 fdisk 劃分檔案系統
[root@lab-2 ~]# fdisk /dev/hdb

STEP 3. 執行 fdisk 劃分檔案系統
[root@lab-2 ~]# fdisk /dev/hdb

STEP 4. 新增延伸分割區 /dev/hdb4
Command (m for help): p

Disk /dev/hdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hdb1 * 1 13 104391 83 Linux
/dev/hdb2 14 778 6144862+ 83 Linux
/dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris

Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Selected partition 4
First cylinder (910-1044, default 910):
Using default value 910
Last cylinder or +size or +sizeM or +sizeK (910-1044, default 1044):
Using default value 1044

Command (m for help): p

Disk /dev/hdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hdb1 * 1 13 104391 83 Linux
/dev/hdb2 14 778 6144862+ 83 Linux
/dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris
/dev/hdb4 910 1044 1084387+ 5 Extended

STEP 5. 新增邏輯分割區 /dev/hdb5(容量 100MB)
Command (m for help): n
First cylinder (910-1044, default 910):
Using default value 910
Last cylinder or +size or +sizeM or +sizeK (910-1044, default 1044): +100M

Command (m for help): p

Disk /dev/hdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hdb1 * 1 13 104391 83 Linux
/dev/hdb2 14 778 6144862+ 83 Linux
/dev/hdb3 779 909 1052257+ 82 Linux swap / Solaris
/dev/hdb4 910 1044 1084387+ 5 Extended
/dev/hdb5 910 922 104391 83 Linux
STEP 6. 儲存變更後的Partition Table並使用 partprobe 進行同步作業使New Partition Table 生效
(或重啟系統使New Partition Table 生效)
Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
You have new mail in /var/spool/mail/root
[root@lab-2 ~]# partprobe

STEP 7. /dev/hdb5 格式化為 ext3 檔案系統
[root@lab-2 ~]# mkfs -t ext3 /dev/hdb5
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
26104 inodes, 104388 blocks
5219 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
2008 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@lab-2 ~]# dumpe2fs /dev/hdb5 | grep 'Filesystem features:'
dumpe2fs 1.39 (29-May-2006)
Filesystem features: has_journal resize_inode dir_index filetype sparse_super
[root@lab-2 ~]#

STEP 8. 建立掛載點 /media/hdb5
[root@lab-2 ~]# ls -ld /media/hdb5
ls: /media/jdb5: No such file or directory
[root@lab-2 ~]# mkdir /media/hdb5
[root@lab-2 ~]# ls -ld /media/hdb5
drwxr-xr-x 2 root root 4096 Dec 6 15:21 /media/hdb5

STEP 9. /dev/hdb5 掛載到 /media/hdb5 並確認掛載選項正確
[root@lab-2 ~]# mount -t ext3 -o usrquota,grpquota /dev/hdb5 /media/hdb5/
[root@lab-2 ~]# mount | grep hdb5
/dev/hdb5 on /media/hdb5 type ext3 (rw,usrquota,grpquota)