RE: Re: [opensuse-factory] New Tumbleweed installation: when grub2 password set, user root and grub password asked at every boot
This is a fresh install of the latest snapshot of TW with password protected grub and Luks LVM. No gimmicks other than this modified or set. So this does not work, at least if the BIOS is not UEFI but an older Award BIOS. I checked and that option to allow boot if no parameters are altered is already set. I did unset it and reset it and safed. Still it askes for password of grub2 or it will not boot. There are two possibilities: a) bug in grub b) malware in the usb-firmware setting a boot parameter before starting up the system. History behind that: I have had a very strange behavior of the keyboards of my PC. I had originally a MS keyboard on this system with former installation but after loading the kernel I would never been able to input my luks password (if it was not with the MS keyboard used at install, e.g. a Cheery keyboard was seen and working up to the kernel was loaded than practically without function). That raised in me the doubt that something emulated the keyboard. Even more so because I had the very same behavior before on my notebook. On that notebook after inserting an USB key of untrusted source, my password in a CLI for root suddenly echoed, my system was blocking and I found rcp-bind listening permanently and persistent on port 111 to the www. The keyboard would not work anymore on the docking station after a kernel upgrade while the notebook keyboard did. (While the usb-key in question was used only once on the notebook w/o dockingstation. That famous foreign usb-key did not mount as expected in opensuse. Actually, it did not mount at all because in secure mode, the pop-up asking root to mount it was never appearing. Hence I gave it a try with a new install from scratch by formatting all the HDD and then giving it a try. This very USB-key I did use it also on my PC afterwards (because I was rightly not knowing about a potential problem with USB. Long story short, that's all fishy to me and I would like to be sure not having "little green men". In the light of the bad-usb story (which can be apparently programmed by whatever script kiddy), how can one check if an unwanted boot parameter has been passed to grub while booting up? Or does journalctl document such parameters somewhere? BTW, i am also getting while booting the system now the following error message in my logs that I sincerely do not understand: from "journalctl -r". AFAIK I do not have an fstab in Tumbleweed from the scratch. Oct 29 09:19:25 linux-e3dj systemd[1]: Started Reload Configuration from the Real Root. Oct 29 09:19:25 linux-e3dj systemd[1052]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with error code 1. Oct 29 09:19:25 linux-e3dj systemd-fstab-generator[1055]: Failed to create mount unit file /run/systemd/generator/sysroot.mount, as it already exists. Duplicate entry in /etc/fstab? Sorry for being paranoid but to a certain extent I have reason to be. If it is just a bug in grub, I am cheerful and everybody is happy to have found one, to report and correct, right? :-) As it is, it is really annoying to have to put in the user "root" and the password of Grub every boot.
-----Ursprüngliche Nachricht----- Von: Andrei Borzenkov Gesendet: Do. 29.10.2015 09:05
I did set passwordprotected grub, but I was used to the behavior that you are asked the password only if you set supplemental boot parameter. Has this changed?
There should be "Allow to boot locked default entry without password" option.
Why am I asked for the "user". Isn't it expected by default that it is root?
yast-bootloader creates password for user root. But GRUB has no way to know, if you want to authenticate yourself as user "root" or any other user. --
-----Ursprüngliche Nachricht Ende-----
--- Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Oct 29, 2015 at 12:10 PM, <stakanov@freenet.de> wrote:
This is a fresh install of the latest snapshot of TW with password protected grub and Luks LVM. No gimmicks other than this modified or set. So this does not work, at least if the BIOS is not UEFI but an older Award BIOS. I checked and that option to allow boot if no parameters are altered is already set. I did unset it and reset it and safed. Still it askes for password of grub2 or it will not boot.
https://bugzilla.opensuse.org/show_bug.cgi?id=952626
There are two possibilities: a) bug in grub
b) malware in the usb-firmware setting a boot parameter before starting up the system. History behind that: I have had a very strange behavior of the keyboards of my PC. I had originally a MS keyboard on this system with former installation but after loading the kernel I would never been able to input my luks password (if it was not with the MS keyboard used at install, e.g. a Cheery keyboard was seen and working up to the kernel was loaded than practically without function). That raised in me the doubt that something emulated the keyboard. Even more so because I had the very same behavior before on my notebook. On that notebook after inserting an USB key of untrusted source, my password in a CLI for root suddenly echoed, my system was blocking and I found rcp-bind listening permanently and persistent on port 111 to the www. The keyboard would not work anymore on the docking station after a kernel upgrade while the notebook keyboard did. (While the usb-key in question was used only once on the notebook w/o dockingstation. That famous foreign usb-key did not mount as expected in opensuse. Actually, it did not mount at all because in secure mode, the pop-up asking root to mount it was never appearing. Hence I gave it a try with a new install from scratch by formatting all the HDD and then giving it a try. This very USB-key I did use it also on my PC afterwards (because I was rightly not knowing about a potential problem with USB.
Long story short, that's all fishy to me and I would like to be sure not having "little green men".
In the light of the bad-usb story (which can be apparently programmed by whatever script kiddy), how can one check if an unwanted boot parameter has been passed to grub while booting up? Or does journalctl document such parameters somewhere? BTW, i am also getting while booting the system now the following error message in my logs that I sincerely do not understand: from "journalctl -r". AFAIK I do not have an fstab in Tumbleweed from the scratch.
Oct 29 09:19:25 linux-e3dj systemd[1]: Started Reload Configuration from the Real Root. Oct 29 09:19:25 linux-e3dj systemd[1052]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with error code 1. Oct 29 09:19:25 linux-e3dj systemd-fstab-generator[1055]: Failed to create mount unit file /run/systemd/generator/sysroot.mount, as it already exists. Duplicate entry in /etc/fstab?
Sorry for being paranoid but to a certain extent I have reason to be. If it is just a bug in grub, I am cheerful and everybody is happy to have found one, to report and correct, right? :-) As it is, it is really annoying to have to put in the user "root" and the password of Grub every boot.
-----Ursprüngliche Nachricht----- Von: Andrei Borzenkov Gesendet: Do. 29.10.2015 09:05
I did set passwordprotected grub, but I was used to the behavior that you are asked the password only if you set supplemental boot parameter. Has this changed?
There should be "Allow to boot locked default entry without password" option.
Why am I asked for the "user". Isn't it expected by default that it is root?
yast-bootloader creates password for user root. But GRUB has no way to know, if you want to authenticate yourself as user "root" or any other user. --
-----Ursprüngliche Nachricht Ende-----
--- Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Donnerstag, 29. Oktober 2015 schrieb stakanov@freenet.de:
This is a fresh install of the latest snapshot of TW with password protected grub and Luks LVM. No gimmicks other than this modified or set. So this does not work, at least if the BIOS is not UEFI but an older Award BIOS. I checked and that option to allow boot if no parameters are altered is already set. I did unset it and reset it and safed. Still it askes for password of grub2 or it will not boot.
There are two possibilities: a) bug in grub
b) malware in the usb-firmware setting a boot parameter before starting up the system.
That's very unlikely - even if your "strange" USB key does or did something behind your back, I doubt it got enough permissions to permanently modify your boot parameters. Or I'm not paranoid enough ;-)
That raised in me the doubt that something emulated the keyboard. Even more so because I had the very same behavior before on my notebook. On that notebook after inserting an USB key of untrusted source, my password in a CLI for root suddenly echoed, my system was blocking and I found rcp-bind listening permanently and persistent on port 111 to the www. The keyboard would not work anymore on the docking station after a kernel upgrade while the notebook keyboard did. (While the usb-key in question was used only once on the notebook w/o dockingstation. That famous foreign usb-key did not mount as expected in opensuse. Actually, it did not mount at all because in secure mode, the pop-up asking root to mount it was never appearing. Hence I gave it a try with a new install from scratch by formatting all the HDD and then giving it a try. This very USB-key I did use it also on my PC afterwards (because I was rightly not knowing about a potential problem with USB.
Do you still have the logs from plugging in that strange USB key? They would be helpful to find out if it's really malicious or "just" broken.
Long story short, that's all fishy to me and I would like to be sure not having "little green men".
s/men/geekos/ ;-)
In the light of the bad-usb story (which can be apparently programmed by whatever script kiddy), how can one check if an unwanted boot parameter has been passed to grub while booting up? Or does journalctl document such parameters somewhere?
Either check the parameters in grub (maybe you need to press escape to get the text and then the edit mode - the graphical mode does not display all parameters [1]), or check /proc/cmdline.
BTW, i am also getting while booting the system now the following error message in my logs that I sincerely do not understand: from "journalctl -r". AFAIK I do not have an fstab in Tumbleweed from the scratch.
Oct 29 09:19:25 linux-e3dj systemd[1]: Started Reload Configuration from the Real Root. Oct 29 09:19:25 linux-e3dj systemd[1052]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with error code 1. Oct 29 09:19:25 linux-e3dj systemd-fstab-generator[1055]: Failed to create mount unit file /run/systemd/generator/sysroot.mount, as it already exists. Duplicate entry in /etc/fstab?
IIRC this might be caused by having a root= boot parameter and a fstab entry for your root partition - search the list archives for the log message and how to solve it. Regards, Christian Boltz [1] at least the good old grub1 displays only parameters after the "showopts" keyword in graphical mode -- <tyhicks> bah, shouldn't have said that "I was done" [from #apparmor] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Andrei Borzenkov
-
Christian Boltz
-
stakanov@freenet.de