vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add a new chapter about security into the tutorial.

Browse source
This commit is contained in:
okuji 2000-10-12 19:59:31 +00:00
parent 009bf82dbc
commit 9bbcd45d64
5 changed files with 225 additions and 164 deletions
Download patch file Download diff file Expand all files Collapse all files

9
ChangeLog
View file

@ -1,3 +1,12 @@
2000-10-13 OKUJI Yoshinori <okuji@gnu.org>
* docs/grub.texi: Added an entry for the new chapter "Security",
and the order of the chapters in the Tutorial Manual was
changed.
* docs/tutorial.texi (Configuration): Moved to right after the
chapter "Booting".
(Security): New chapter.
2000-10-10 OKUJI Yoshinori <okuji@gnu.org>
From Alessandro Rubini:

3
docs/grub.texi
View file

@ -98,9 +98,10 @@ Part I: The Tutorial Manual
* Naming convention:: Names of your drives in GRUB
* Installation:: Installing GRUB on your drive
* Booting:: How to boot different operating systems
* Configuration:: Writing your own configuration file
* Network:: Downloading OS images from a network
* Serial terminal:: Using GRUB via a serial line
* Configuration:: Writing your own configuration file
* Security:: Improving the security
Part II: The User Reference Manual

2
docs/stamp-vti
View file

@ -1,3 +1,3 @@
@set UPDATED 7 October 2000
@set UPDATED 13 October 2000
@set EDITION 0.5.97
@set VERSION 0.5.97

373
docs/tutorial.texi
View file

@ -632,157 +632,6 @@ grub> @kbd{boot}
@end example
@node Network
@chapter Downloading OS images from a network
Although GRUB is a disk-based boot loader, it does provide some network
support. To use the network support, you need to enable at least one
network driver in the GRUB build process. For more information please
see @file{netboot/README.netboot} in the source distribution.
@menu
* General usage of network support::
* Diskless::
@end menu
@node General usage of network support
@section How to set up your network
GRUB requires a server that will assign an IP address to the machine on
which GRUB is running, and a file server. The former is either BOOTP,
DHCP or a RARP server (RARP is deprecated, since it cannot serve much
information). For the latter, only TFTP is supported at the moment. It
is not necessary to run both the servers on one computer. How to
configure these servers is beyond the scope of this document, so please
refer to the manuals specific to those protocols/servers.
Once you have set up the servers, run @command{bootp}, @command{dhcp}
or @command{rarp} for BOOTP, DHCP or RARP, respectively. Each command
will show an assigned IP address, a netmask, an IP address for your TFTP
server and a gateway. If any of the addresses is wrong or it causes an
error, probably the configuration of your servers isn't set up properly.
Finally, download your OS images from your network. The network can be
accessed using the network drive @samp{(nd)}. Everything else is very
similar to the normal instructions (@pxref{Booting}).
Here is an example:
@example
@group
grub> @kbd{bootp}
Probing... [NE*000]
NE2000 base ...
Address: 192.168.110.23 Netmask: 255.255.255.0
Server: 192.168.110.14 Gateway: 192.168.110.1
grub> @kbd{root (nd)}
grub> @kbd{kernel /tftproot/gnumach.gz root=sd0s1}
grub> @kbd{module /tftproot/serverboot.gz}
grub> @kbd{boot}
@end group
@end example
@node Diskless
@section Booting from a network
It is sometimes very useful to boot from a network, especially, when you
use a machine which has no local disk. In this case, you need to obtain
a kind of Net Boot @sc{rom}, such as a PXE @sc{rom} or a free software
package like Etherboot. Such a Boot @sc{rom} first boots the machine,
sets up the network card installed into the machine, and downloads a
second stage boot image from the network. Then, the second image will
try to boot an operating system from the network actually.
GRUB provides two second stage images, @file{nbgrub} and
@file{pxegrub}. Those images are the same as the normal Stage 2, except
that they set up a network automatically, and try to load a
configuration file from the network, if specified. The usage is very
simple: If the machine has a PXE @sc{rom}, use @file{pxegrub}. If the
machine has a NBI loader such as Etherboot, use @file{nbgrub}. There is
no difference between them but their formats. As how to load a second
stage image you want to use should be described in the manual on your
Net Boot @sc{rom}, please refer to the manual, for more details. The
topic is beyond the scope of this documentation.
However, there is one thing specific to GRUB. Namely, how to specify a
configuration file in a BOOTP/DHCP server. For now, GRUB uses the tag
@samp{150}, to get the name of a configuration file. This below is an
example about a BOOTP configuration:
@example
@group
allhost:hd=/tmp:bf=null:\
:ds=145.71.35.1 145.71.32.1:\
:sm=255.255.254.0:\
:gw=145.71.35.1:\
:sa=145.71.35.5:
foo:ht=1:ha=63655d0334a7:ip=145.71.35.127:\
:bf=/nbgrub:\
:tc=allhost:\
:T150="/tftpboot/menu.lst.foo":
@end group
@end example
See the manual about your BOOTP/DHCP server, for more information. The
exact syntax should differ from the example, more or less.
@node Serial terminal
@chapter Using GRUB via a serial line
This chapter describes how to use the serial terminal support in GRUB.
If you have many computers or computers with no display/keyboard, it
would be very useful to control the computers with serial
communications. To connect a computer with another via a serial line,
you need to prepare a null-modem (cross) serial cable, and you may need
to have multiport serial boards, if your computer doesn't have extra
serial ports. In addition, a terminal emulator is also required, such as
minicom. Refer to a manual of your operating system, for more
information.
As for GRUB, the instruction to set up a serial terminal is quite
simple. First of all, make sure that you haven't specified the option
@option{--disable-serial} to the configure script when you built your
GRUB images. If you get them in binary form, probably they have serial
terminal support already.
Then, initialize your serial terminal after GRUB starts up. Here is an
example:
@example
@group
grub> @kbd{serial --unit=0 --speed=9600}
grub> @kbd{terminal serial}
@end group
@end example
The command @command{serial} initializes the serial unit 0 with the
speed 9600bps. The serial unit 0 is usually called @samp{COM1}, so, if
you want to use COM2, you must specify @samp{--unit=1} instead. This
command accepts many other options, so please refer to @ref{Commands},
for more details.
The command @command{terminal} chooses which type of terminal you want
to use. In that case above, the terminal will be a serial terminal, but
you can also pass @code{console} to the command, like @samp{terminal
serial console}. In this case, a terminal in which you press any key
will be selected as a GRUB terminal.
However, note that GRUB assumes that your terminal emulator is
compatible with VT100 by default. This is true for most terminal
emulators nowadays, but you should pass the option @option{--dumb} to
the command, if your terminal emulator is not VT100-compatible or
implement few VT100 escape sequences. If you specify the option, then
GRUB doesn't provide you with the menu interface, because the menu
requires several fancy features for your terminal. Instead, GRUB only
gives you the hidden menu interface and the command-line interface.
@node Configuration
@chapter Configuration
@ -954,15 +803,217 @@ and menu commands}). GRUB has several such commands, see the user
reference.
We hope that you now understand how to use the basic features of
GRUB. To learn more about GRUB, see the User Reference Manual
(@pxref{Introduction}).
GRUB. To learn more about GRUB, see the following chapters and the User
Reference Manual (@pxref{Introduction}).
Have fun!
@c FIXME: I think we should write some notes on the security here, or in
@c another chapter. Perhaps we should pick up all the user-visible
@c features in this tutorial and make the reference manual just a record
@c of the pure information. - okuji
@c
@c BTW, how many people think that this tutorial is easy to read? I
@c don't know. God knows? I don't think so. :p - okuji
@node Network
@chapter Downloading OS images from a network
Although GRUB is a disk-based boot loader, it does provide some network
support. To use the network support, you need to enable at least one
network driver in the GRUB build process. For more information please
see @file{netboot/README.netboot} in the source distribution.
@menu
* General usage of network support::
* Diskless::
@end menu
@node General usage of network support
@section How to set up your network
GRUB requires a server that will assign an IP address to the machine on
which GRUB is running, and a file server. The former is either BOOTP,
DHCP or a RARP server (RARP is deprecated, since it cannot serve much
information). For the latter, only TFTP is supported at the moment. It
is not necessary to run both the servers on one computer. How to
configure these servers is beyond the scope of this document, so please
refer to the manuals specific to those protocols/servers.
Once you have set up the servers, run @command{bootp}, @command{dhcp}
or @command{rarp} for BOOTP, DHCP or RARP, respectively. Each command
will show an assigned IP address, a netmask, an IP address for your TFTP
server and a gateway. If any of the addresses is wrong or it causes an
error, probably the configuration of your servers isn't set up properly.
Finally, download your OS images from your network. The network can be
accessed using the network drive @samp{(nd)}. Everything else is very
similar to the normal instructions (@pxref{Booting}).
Here is an example:
@example
@group
grub> @kbd{bootp}
Probing... [NE*000]
NE2000 base ...
Address: 192.168.110.23 Netmask: 255.255.255.0
Server: 192.168.110.14 Gateway: 192.168.110.1
grub> @kbd{root (nd)}
grub> @kbd{kernel /tftproot/gnumach.gz root=sd0s1}
grub> @kbd{module /tftproot/serverboot.gz}
grub> @kbd{boot}
@end group
@end example
@node Diskless
@section Booting from a network
It is sometimes very useful to boot from a network, especially, when you
use a machine which has no local disk. In this case, you need to obtain
a kind of Net Boot @sc{rom}, such as a PXE @sc{rom} or a free software
package like Etherboot. Such a Boot @sc{rom} first boots the machine,
sets up the network card installed into the machine, and downloads a
second stage boot image from the network. Then, the second image will
try to boot an operating system from the network actually.
GRUB provides two second stage images, @file{nbgrub} and
@file{pxegrub}. Those images are the same as the normal Stage 2, except
that they set up a network automatically, and try to load a
configuration file from the network, if specified. The usage is very
simple: If the machine has a PXE @sc{rom}, use @file{pxegrub}. If the
machine has a NBI loader such as Etherboot, use @file{nbgrub}. There is
no difference between them but their formats. As how to load a second
stage image you want to use should be described in the manual on your
Net Boot @sc{rom}, please refer to the manual, for more details. The
topic is beyond the scope of this documentation.
However, there is one thing specific to GRUB. Namely, how to specify a
configuration file in a BOOTP/DHCP server. For now, GRUB uses the tag
@samp{150}, to get the name of a configuration file. This below is an
example about a BOOTP configuration:
@example
@group
.allhost:hd=/tmp:bf=null:\
:ds=145.71.35.1 145.71.32.1:\
:sm=255.255.254.0:\
:gw=145.71.35.1:\
:sa=145.71.35.5:
foo:ht=1:ha=63655d0334a7:ip=145.71.35.127:\
:bf=/nbgrub:\
:tc=.allhost:\
:T150="/tftpboot/menu.lst.foo":
@end group
@end example
See the manual about your BOOTP/DHCP server, for more information. The
exact syntax should differ from the example, more or less.
@node Serial terminal
@chapter Using GRUB via a serial line
This chapter describes how to use the serial terminal support in GRUB.
If you have many computers or computers with no display/keyboard, it
would be very useful to control the computers with serial
communications. To connect a computer with another via a serial line,
you need to prepare a null-modem (cross) serial cable, and you may need
to have multiport serial boards, if your computer doesn't have extra
serial ports. In addition, a terminal emulator is also required, such as
minicom. Refer to a manual of your operating system, for more
information.
As for GRUB, the instruction to set up a serial terminal is quite
simple. First of all, make sure that you haven't specified the option
@option{--disable-serial} to the configure script when you built your
GRUB images. If you get them in binary form, probably they have serial
terminal support already.
Then, initialize your serial terminal after GRUB starts up. Here is an
example:
@example
@group
grub> @kbd{serial --unit=0 --speed=9600}
grub> @kbd{terminal serial}
@end group
@end example
The command @command{serial} initializes the serial unit 0 with the
speed 9600bps. The serial unit 0 is usually called @samp{COM1}, so, if
you want to use COM2, you must specify @samp{--unit=1} instead. This
command accepts many other options, so please refer to @ref{Commands},
for more details.
The command @command{terminal} chooses which type of terminal you want
to use. In that case above, the terminal will be a serial terminal, but
you can also pass @code{console} to the command, like @samp{terminal
serial console}. In this case, a terminal in which you press any key
will be selected as a GRUB terminal.
However, note that GRUB assumes that your terminal emulator is
compatible with VT100 by default. This is true for most terminal
emulators nowadays, but you should pass the option @option{--dumb} to
the command, if your terminal emulator is not VT100-compatible or
implement few VT100 escape sequences. If you specify the option, then
GRUB doesn't provide you with the menu interface, because the menu
requires several fancy features for your terminal. Instead, GRUB only
gives you the hidden menu interface and the command-line interface.
@node Security
@chapter Security
You may be interested in how to prevent ordinary users from doing
whatever they like, if you share your computer with other people. So
this chapter describes how to improve the security of GRUB.
One thing which could be a security hole is that the user can do too
many things with GRUB, because GRUB allows to modify its configuration
and run arbitrary commands at run-time. For example, the user can read
even @file{/etc/passwd} in the command-line interface by the command
@command{cat}. So it is necessary to disable all the interactive
operations.
Thus, GRUB provides @dfn{password} feature, so that only administrators
can start the interactive operations (i.e. editing menu entries and
entering the command-line interface). To use this feature, you need to
run the command @command{password} in your configuration file, like
this:
@example
password PASSWORD
@end example
If this is specified, GRUB disallows any interactive control, until you
press the key @key{p} and enter @samp{PASSWORD}.
Also, you can specify an optional argument to @command{password}. See
this example:
@example
password PASSWORD /boot/grub/menu-admin.lst
@end example
In this case, GRUB will load @file{/boot/grub/menu-admin.lst} as the
configuration file when you enter the valid password.
Another thing which may be dangerous is that any user can choose any
menu entry. Usually, this wouldn't be problematic, but you might want to
permit only administrators to run some of your menu entries, such as an
entry for booting an insecure OS like DOS.
The solution used by GRUB is the command @command{lock}. This command
always fails until you enter a valid password, so you can use it, like
this:
@example
@group
title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1
@end group
@end example
You should insert @command{lock} right after @command{title}, because
any user can execute commands in an entry, until GRUB encounters
@command{lock}.

2
docs/version.texi
View file

@ -1,3 +1,3 @@
@set UPDATED 7 October 2000
@set UPDATED 13 October 2000
@set EDITION 0.5.97
@set VERSION 0.5.97