Fuel for OpenStack

GRUB bootloader do not have password authentication

Bug #1552164 reported by Egor Kotko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
Medium
Maksim Malchuk
Fuel for OpenStack 10.0
Mitaka
Won't Fix
Medium
Maksim Malchuk
Fuel for OpenStack 9.0

Bug Description

Set a password on GRUB bootloader to prevent altering boot configuration

Steps to reproduce:
1. Reboot master node
2. Enter into edit mode of GRUB entries (press e into menu http://snag.gy/EsjwX.jpg)

Expected result: the entrance should be protected by password auth
Actual result: user get access without auth http://snag.gy/vvdSB.jpg

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Which password should be used for this? Where can it be managed? in the web? in the fuel-menu? or it should be 'standard' one and hardcoded?
A solution may be very complicated because need changes in the separate projects like fuel-web, fuel-agent, fuel-menu and fuel-library.

Changed in fuel:
importance: Low → Wishlist
status: New → Confirmed
Revision history for this message
Egor Kotko (ykotko) wrote :

The most appropriate password will be the standard in such case.
Seems fuel menu will be normal place for management this pass

Revision history for this message
Alexander Gordeev (a-gordeev) wrote :

If a one has any physical/IPMI access to a node, then the one can do whatever he/she wanted with the bootloader if BIOS/UEFI setup isn't protected by password too.

protecting grub with the password is a kind of non-sense for such case, the one could load any other bootloader/OS with ease.

therefore, without more low-level protection in advance, this grub password is next to useless.

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Agree with Alexander, so this will confirm that this is not a bug but wishlist.

Revision history for this message
Egor Kotko (ykotko) wrote :

My point is that we should give to user base security level, if user will add password on bios/uefi, will he open ports in nwfilter after deployment, it is all his responsibility.

Nastya Urlapova (aurlapova)
Changed in fuel:
importance: Wishlist → Low
importance: Low → Medium
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Nastya why did You raised the importance without an explanation?

Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Maksim Malchuk (mmalchuk)
Revision history for this message
Bug Checker Bot (bug-checker) wrote : Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

version

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
Dmitry Pyzhov (dpyzhov)
no longer affects: fuel/newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-menu (master)

Fix proposed to branch: master
Review: https://review.openstack.org/358143

Changed in fuel:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-menu (master)

Reviewed: https://review.openstack.org/358143
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=1da4d4f45c22423c8e2099d112fe1473560b0c5f
Submitter: Jenkins
Branch: master

commit 1da4d4f45c22423c8e2099d112fe1473560b0c5f
Author: Maksim Malchuk <email address hidden>
Date: Sat Aug 20 02:33:02 2016 +0300

    Add GrubPassword module to the fuelmenu

    This change adds new GrubPassword module to the fuelmenu which can
    configure password for the editing grub menu. The module creates the
    default /boot/grub2/user.cfg file with hashed password only when it
    entered interactively. For security reasons the plain password never
    stored and the file always overwritten with new one provided.

    DocImpact
    Closes-Bug: #1552164
    Change-Id: I3bc330133dd3d71ea62a7169a84d9ad802a4a3ef
    Signed-off-by: Maksim Malchuk <email address hidden>

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-menu 10.0.0rc1

This issue was fixed in the openstack/fuel-menu 10.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-menu 10.0.0

This issue was fixed in the openstack/fuel-menu 10.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.