[Bug 821387] New: grub2 always asks for a password not only if I try to edit config when booting

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c0 Summary: grub2 always asks for a password not only if I try to edit config when booting Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: krienke@uni-koblenz.de QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 I tried to protect grub2 by a password so that when booting no one can modify the boot settings I configured, however the system should be able to boot any of the listed systems without asking for a password. The problem now is that grub2 always asks for user and password and booting an grub menu entry offered is only possible if you know the user and password. So what I would like to achieve is the equivalent of password --md5 <password> in grub1. To configure password protection in grub2 I edited /etc/grub.d/40_custom and added: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.3C6BB ..... No I can only boot linux (or any other system) if I enter the configured user and password although the system should only ask me for a password if try to edit the grub config by pressing "e". So at the moment there is no way to allow anyone to boot a system but prevent him from editing grub2 boot menu config. Reproducible: Always Steps to Reproduce: 1. Edit /etc/grub.d/40_custom like described above 2. run grub2-mkconfig -o /boot/grub2/grub.cfg 3. boot the system Actual Results: grub2 always asks for a user and password, without both you can no longer boot. Entering the user "root" and the configured password, the system boots fine. Expected Results: grub2 should only request user and password if someone tries to edit the boot config by pressing "e" in grub2 boot menu. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c Jiri Srain <jsrain@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jsrain@suse.com |mchang@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c1 --- Comment #1 from Michael Chang <mchang@suse.com> 2013-05-27 05:06:05 UTC --- I think the result is intended. What you're requesting is parallel to measured boot but that's not possible to get generic supported imho (unless platform offers means as tamper-free storage like TPM PCR registers which hashes could be measured into). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c2 --- Comment #2 from Rainer Krienke <krienke@uni-koblenz.de> 2013-05-27 06:12:39 UTC --- It should be no problem at all for all those machines where grub legacy has already been working this way for years. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c3 --- Comment #3 from Michael Chang <mchang@suse.com> 2013-05-27 09:22:18 UTC --- You need specify --unrestricted to your menuentry to achieve similar experience to grub. See http://www.gnu.org/software/grub/manual/grub.html#Security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c4 --- Comment #4 from Rainer Krienke <krienke@uni-koblenz.de> 2013-05-27 13:00:32 UTC --- Thanks for the hint. I manually edited /boot/grub2/grub.cfg to add --unrestricted to each menu entry line (editing the provided 10_linux script for this purpose seemed not to be an easy way). 40_custom script still contains the password settings. After a reboot I am now non longer being asked for a user/password but on the other hand I also do *not* see the boot menu. Instead the system instantly boots the default boot entry. I tried to type "ESC", "c", "e" when grub starts but this did not change anything. Is this the way it should be? Still I do not have a behavior similar to grub1 using "password --md5 <password>". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c5 --- Comment #5 from Michael Chang <mchang@suse.com> 2013-05-28 05:51:29 UTC --- (In reply to comment #4)
Thanks for the hint. I manually edited /boot/grub2/grub.cfg to add --unrestricted to each menu entry line (editing the provided 10_linux script for this purpose seemed not to be an easy way).
40_custom script still contains the password settings.
After a reboot I am now non longer being asked for a user/password but on the other hand I also do *not* see the boot menu. Instead the system instantly boots the default boot entry. I tried to type "ESC", "c", "e" when grub starts but this did not change anything.
I also tried and it works pretty good for me. I had the boot menu and when attempting to edit boot entries or entering command line mode it asked me user name and password. But did not when I boot the entries.
Is this the way it should be? Still I do not have a behavior similar to grub1 using "password --md5 <password>".
No. Probably your config file is broken somehow ? Run this to check. $ grub2-script-check /boot/grub2/grub.cfg Or attach your config here to reference. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c6 --- Comment #6 from Rainer Krienke <krienke@uni-koblenz.de> 2013-05-28 06:30:25 UTC --- Created an attachment (id=541455) --> (http://bugzilla.novell.com/attachment.cgi?id=541455) /boot/grub2/grub.cfg Default file generated on openSuSE12.3 by grub2-mkconfig -o /boot/grub2/grub.cfg. Manually added --unrestricted for menuentries. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c7 --- Comment #7 from Rainer Krienke <krienke@uni-koblenz.de> 2013-05-28 06:32:17 UTC --- Created an attachment (id=541456) --> (http://bugzilla.novell.com/attachment.cgi?id=541456) /etc/grub.d/40_custom 40_custom file with superuser and password_pbkdf2 directives added -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c8 --- Comment #8 from Rainer Krienke <krienke@uni-koblenz.de> 2013-05-28 06:36:32 UTC --- I ran grub2-script-check /boot/grub2/grub.cfg but the check did not output anything. So I added the main config files as an attachment to this bug report: /boot/grub2/grub.cfg /etc/grub.d/40_custom grub.cfg is the default file generated by grub2-mkconfig -o /boot/grub2/grub.cfg from the scripts in /etc/grub.d/ provided by openSuSE 12.3. 40_custom is the file I edited to insert set superuser and password_pbkdf2 directives. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c9 --- Comment #9 from Michael Chang <mchang@suse.com> 2013-05-28 09:38:04 UTC --- (In reply to comment #8)
I ran grub2-script-check /boot/grub2/grub.cfg but the check did not output anything.
That means syntax check passed, no broken indeed.
So I added the main config files as an attachment to this bug report:
/boot/grub2/grub.cfg /etc/grub.d/40_custom
grub.cfg is the default file generated by grub2-mkconfig -o /boot/grub2/grub.cfg from the scripts in /etc/grub.d/ provided by openSuSE 12.3. 40_custom is the file I edited to insert set superuser and password_pbkdf2 directives.
Could you please check your timeout settings ? The resulted behavior is expected from your config. You may have your /etc/default/grub:GRUB_TIMEOUT settings to zero ? In you config : if [ x${boot_once} = xtrue ]; then set timeout=0 elif sleep --interruptible 0 ; then set timeout=0 fi Should looks like below for menu with 8 sec timeout. if [ x${boot_once} = xtrue ]; then set timeout=0 elif sleep --interruptible 0 ; then set timeout=8 fi -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c10 --- Comment #10 from Rainer Krienke <krienke@uni-koblenz.de> 2013-06-04 02:29:56 UTC --- timeout was actually set to 0 in /etc/default/grub. I set it to a bigger value, and now it works. Thanks for your help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=821387 https://bugzilla.novell.com/show_bug.cgi?id=821387#c11 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FEATURE --- Comment #11 from Michael Chang <mchang@suse.com> 2013-06-04 21:21:18 UTC --- I set to resolved feature and thanks to confirm it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com