Mandrake 9.2 secure boot ends with black screen
I just installed Mandrake 9.2 on a PIII-450 system. This is my
first linux install, but I am a developer, so I know some things about Unix (albeit more from a user not an admin perspective). First of all, I am setting this machine up to be a web server, to host some sites I have under development. The install went fine. I did pick some non-default things, since I am a customize freak. I made sure to install Apache2, and set Apache service up to run at start-up. Perhaps this was premature, since I do not have any web app configured to run under it... Anyway, the system will not boot up in "linux-secure", which is the lilo default. The console startup goes to a black blank screen right after xinetd loads/configures... the X window environment does not appear. I have to CTRL-ALT-DEL to reboot to get out of this state. When I choose "linux" in lilo, the system boots to the X desktop and everything seems fine. I guess my first question is what is the difference between "linux-secure" and "linux" options? Then, of course, does anyone know why I can the Black screen with linux-secure? Thanks a million... Trevor |
I went to the same thing. Fortunately, I was installing a firewall, so I changed /etc/inittab to go to level 3 and avoid X11 ;) Will be interested by some expert explanations as well :)
|
So, all you did was reinstall with the internet firewall package
included, and linux-secure booted OK? Or did you just remove X windows from the installation to make it work... that's probably all I need is cmd line - I can telnet or ssh to this box from my pc to start and stop Apache and Tomcat, etc... Thanks, Trevor |
I installed the secured version with firewall, yes.
If you can ssh the box, do as I did : edit your /etc/inittab file and change the default from 5 to 3 to start without X11. If you run it as a server, you wont need X11. I would be interested by some explanations on the "X11 with linux-secure" problem, i've not investigated much to be honest. |
Answer.. but no fix yet...
The reason it does this is something to do with GRSecurity.. (www.grsecurity.net) . I found this out by running startx and then looking in the log files.. (/var/log/messages) which said Kernel PaX had terminated this process.. A short search of google with the words XFree and PaX quickly turned up the culprit.
From what I've read this program is a hacker prevention tool.. If a hacker gains access to your system as root, they still dont have complete access to your system.. The way I see it you need to configure your server in Xfree in linux (not linux-secure) mode.. and then reboot into linux secure mode. This will stop hackers tampering with your now locked down server.. only catch is that now you can't run X.. which for me at least is kind of frustrating since I use my server as a desktop occasionally too.. dont have a solution for this one yet?? can anyone post a simple fix for this?? (ie, run linux secure mode, run xfree and still have it be secure)?? thanks Jesse |
another solution
You dont need to ssh into your server to change from 5 to 3.. just hit Ctrl-Alt-F1 and you'll switch to the command prompt .. log in and you'll be at a terminal (remember that you cant login as root if you have a high security level) .. then after you've logged in as a user with SU priviliges switch to root by typing 'su -l' type in root passwd and voilla! you're now root...
|
THE ANSWER!! EURIKA!!
After 5 hours!! Agghhh .. Finally.. the answer
If you set linux mandrake to use higher security install it installs PaX protection by default. to run the item below you need to have installed the developers packages. 10 - Now if you have chosen PaX protection, you should head over to http://pageexec.virtualave.net/ and you should download the chpax.c utility. Compile this by doing: `gcc -o chpax chpax.c` and make sure your XFree86 binary has page_exec turned off - else your system will hang when trying to boot into X windows! To do this type: `./chpax -p /usr/X11R6/bin/XFree86` and you should be all set. Should now boot into X with Linux Secure mode.. But remember you just made your linux server slightly easier to hack.. But who cares!! I'm not the government.... Jesse Vaughan Let me know if this worked.. |
|
Thanks for the help
Thanks folks!
I will give this a try this week when I have time set aside to play with my server again... Thanks again - I'll post a reply once I have tried the steps suggested above... Trevor |
I just followed the steps recommended by anubus21.
First, I could not execute the chpax command while running X. It gave me an error like "text file in use". So I rebooted into 'failsafe' mode and then executed ./chpax -p /usr/X11R6/bin/XFree86 as root. It gave no error. Then I rebooted and chose linux-secure. I again came to the blank screen, but was prompted to login (in text mode) once I hit a key. I can log in, but I was expecting X to boot as it does when just running the linux boot option. Is this the expected behavior? I cannot SSH to the box and if I type 'startx', it goes back to the blank screen of death... Has anyone else gotten this to work? |
Correction
I tried this again tonight, and it does work! I boot into
failsafe, login as root, run the chpax command, then exit. When I exit, the X environment loads and runs. I checked the configuration tool and saw that I was indeed at "Higher" security level (just below paranoid). However, the effects of chpax are only good for that one login session. When I logout and reboot into linux-secure, I am faced with the blank screen again. Hmmm... When I used HP-UX at work a few years back, I could modify a .login file to perform certain actions upon login. There must be a system start-up file that the chpax command can be placed into that will run when linux-secure is booted. I will go digging for info on this (I am sure it is simple to do, once you know where to do it). If anyone else knows a solution, please post! Thanks - we are almost there! |
wait..
Try `./chpax -sp /usr/X11R6/bin/XFree86` I just tried it and it fixed it... let me know if it works.. you need to turn off two things not just 1 |
IT WORKS!
Hey Jesse!
That second command you gave did work - permanently! I can boot into linux-secure everytime now with X windows! In short, it works! Thanks for your help. Now I am on to setting up Apache and Tomcat for some web sites! Regards, Trevor |
one more thing
trevor, one more thing...
If you go to update your packages (in the mandrake updater) I noticed that it resets the permissions on XFree so you cant get into it again.. you just need to run the chpax -ps command again on XFree86 to fix it.. |
Thanks... So, is there any other site besides www.grsecurity.net
that I should look at? So far this higher level of security has just been a pain to deal with. I had to play with /etc/hosts etc., to allow an incoming SSH connection to my linux server. Now I have installed Java, but the secure settings evidently don't allow Java to run! If I invoke java -version, all I get is "Killed" in response. When I boot up in standard linux (lower security), it works fine... |
ulimit is useful
ocassionally I got errors that were fixed by a command called ulimit this command. run man ulimit to see more on this .. but it gets rid of fsize errors and things...
|
All times are GMT -5. The time now is 01:14 PM. |