Mailinglist Archive: opensuse-factory (1324 mails)

< Previous Next >
RE: Re: [opensuse-factory] New Tumbleweed installation: when grub2 password set, user root and grub password asked at every boot
This is a fresh install of the latest snapshot of TW with password
protected grub and Luks LVM. No gimmicks other than this modified or set.
So this does not work, at least if the BIOS is not UEFI but an older Award
BIOS. I checked and that option to allow boot if no parameters are altered is
already set. I did unset it and reset it and safed. Still it askes for password
of grub2 or it will not boot.

There are two possibilities:
a) bug in grub

b) malware in the usb-firmware setting a boot parameter before starting up the
History behind that:
I have had a very strange behavior of the keyboards of my PC. I had originally
a MS keyboard on this system with former installation but after loading the
kernel I would never been able to input my luks password (if it was not with
the MS keyboard used at install, e.g. a Cheery keyboard was seen and working up
to the kernel was loaded than practically without function). That raised in me
the doubt that something emulated the keyboard.
Even more so because I had the very same behavior before on my notebook. On
that notebook after inserting an USB key of untrusted source, my password in a
CLI for root suddenly echoed, my system was blocking and I found rcp-bind
listening permanently and persistent on port 111 to the www. The keyboard would
not work anymore on the docking station after a kernel upgrade while the
notebook keyboard did. (While the usb-key in question was used only once on the
notebook w/o dockingstation.
That famous foreign usb-key did not mount as expected in opensuse. Actually, it
did not mount at all because in secure mode, the pop-up asking root to mount it
was never appearing. Hence I gave it a try with a new install from scratch by
formatting all the HDD and then giving it a try. This very USB-key I did use it
also on my PC afterwards (because I was rightly not knowing about a potential
problem with USB.

Long story short, that's all fishy to me and I would like to be sure not having
"little green men".

In the light of the bad-usb story (which can be apparently programmed by
whatever script kiddy), how can one check if an unwanted boot parameter has
been passed to grub while booting up? Or does journalctl document such
parameters somewhere?
BTW, i am also getting while booting the system now the following error message
in my logs that I sincerely do not understand: from "journalctl -r". AFAIK I do
not have an fstab in Tumbleweed from the scratch.

Oct 29 09:19:25 linux-e3dj systemd[1]: Started Reload Configuration from the
Real Root.
Oct 29 09:19:25 linux-e3dj systemd[1052]:
/usr/lib/systemd/system-generators/systemd-fstab-generator failed with error
code 1.
Oct 29 09:19:25 linux-e3dj systemd-fstab-generator[1055]: Failed to create
mount unit file /run/systemd/generator/sysroot.mount, as it already exists.
Duplicate entry in /etc/fstab?

Sorry for being paranoid but to a certain extent I have reason to be. If it is
just a bug in grub, I am cheerful and everybody is happy to have found one, to
report and correct, right? :-) As it is, it is really annoying to have to put
in the user "root" and the password of Grub every boot.

-----Ursprüngliche Nachricht-----
Von: Andrei Borzenkov
Gesendet: Do. 29.10.2015 09:05

I did set passwordprotected grub, but
I was used to the behavior that you are asked the password only
you set supplemental boot parameter. Has this changed?

There should be "Allow to boot locked default entry without password"

Why am I asked for the "user". Isn't
it expected by default that it is root?

yast-bootloader creates password for user root. But GRUB has no way
know, if you want to authenticate yourself as user "root" or any

-----Ursprüngliche Nachricht Ende-----

Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen!

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >