Grub authentication is not applied on Fedora 26 and Ubuntu 16.04 (at least)

Bug #1735709 reported by Huygens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Markos Chandras

Bug Description

I am deploying the openstack-ansible role to several hosts running either Fedora 26 or Ubuntu 16.04. I'm using the "pike" branch.

The role is really great and does a lot of cool stuff, and it helped me alot. So I'm very grateful for it.

However, I might have managed to found a bug with respect to Grub authentication (task named "Set a GRUB 2 password for single-user/maintenance modes"). I have activated that task by setting the following variables:

security_enable_grub_update: yes
security_require_grub_authentication: yes
security_grub_password_hash: '{{ security.grub_auth }}'

When running the playbook, I can see the change being applied (marked [Changed]) and the handler to update grub configuration is triggered.

I can see on both Fedora and Ubuntu that the file /etc/default/grub is being changed, but I can still edit the Grub menu and I do not see any relevant changes inside the /boot/grub/*.cfg files.

Actually it seems that fedora has a variable named GRUB2_PASSWORD, but even renaming the variable to this it did not help (of course I regenerated the grub files using /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg).

Perhaps this problem apply to more than just Fedora 26 and Ubuntu 16.04 targets but I haven't tested.

Revision history for this message
Major Hayden (rackerhacker) wrote :

Thanks for the report!

So it seems that the configuration is being placed appropriately, but the grub bootloader seems to be unchanged? I'm wondering if there's an extra step that needs to be completed that is being missed.

Were you able to enable grub authentication via manual methods after running the playbook?

Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
Huygens (huygens-25) wrote :

Hi,

I can see effectively the changed defined in the Ansible task file being performed sucessfully. But applying that change did not have an effect on the Grub configuration.

I haven't had the time yet to see which steps are needed to enable grub authentication. But when I quickly looked at the documentation from both Fedora and Ubuntu, the current step which adds the GRUB_PASSWORD environment variable to /etc/default/grub was not part of these documentation. I hope to find some time this week.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Is there any update from any side here?

Changed in openstack-ansible:
status: New → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/527682

Changed in openstack-ansible:
assignee: Major Hayden (rackerhacker) → Markos Chandras (hwoarang)
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/527682
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=a0810a9ca1d568c052d75b91b65159e21b764789
Submitter: Zuul
Branch: master

commit a0810a9ca1d568c052d75b91b65159e21b764789
Author: Markos Chandras <email address hidden>
Date: Wed Dec 13 12:23:56 2017 +0000

    tasks: auth: Use standard Grub2 authentication mechanism

    GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
    we can use the recommended method by setting the superusers
    environment variable and using the password_pbkdf2 command

    Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
    Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
    Closes-Bug: 1735709

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/528307

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (stable/pike)

Reviewed: https://review.openstack.org/528307
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=af8774dd93584436a596fde4819b8d9f0395e185
Submitter: Zuul
Branch: stable/pike

commit af8774dd93584436a596fde4819b8d9f0395e185
Author: Markos Chandras <email address hidden>
Date: Wed Dec 13 12:23:56 2017 +0000

    tasks: auth: Use standard Grub2 authentication mechanism

    GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
    we can use the recommended method by setting the superusers
    environment variable and using the password_pbkdf2 command

    Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
    Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
    Closes-Bug: 1735709
    (cherry picked from commit a0810a9ca1d568c052d75b91b65159e21b764789)

tags: added: in-stable-pike
Revision history for this message
Huygens (huygens-25) wrote :

I would say this bug is partially fixed (or maybe it's a "side effect" and I need to open a new bug.

But first of all many many thanks for solving this problem :-) this is very much appreciated!

So the correction is perfectly working (as far as I can tell) on Fedora 26. When using it on a Fedora 26 target, the bootloader is protected from being modified (when editing an entry, one is asked by the password) and the boot is not blocking by asking for a password. Great!

However the behaviour of this correction is different on Ubuntu. On our Ubuntu 16.04.3 system the credentials are applied to the editing and also booting of the machine. So this night our server rebooted (planned) but did not came back after because it was waiting at the bootloader for us to enter the credentials. We quickly reverted the change for Ubuntu. But this is slightly unexpected that the behaviour is much different.

Shall I create a new issue or consider this issue implementation as partly done?

Revision history for this message
Markos Chandras (hwoarang) wrote :

No need to open a new bug report. I will look into the Ubuntu failure. Thank you for letting us know

Revision history for this message
Markos Chandras (hwoarang) wrote :

So fedora is using this patch http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/tree/0109-Don-t-require-a-password-to-boot-entries-generated-b.patch to be able to boot the system without a password. I am going to modify our playbooks to do the same thing for all distros.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/532574

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/532574
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=65dce4045a75e4a8533b51ffb2d47e4dcd9114a1
Submitter: Zuul
Branch: master

commit 65dce4045a75e4a8533b51ffb2d47e4dcd9114a1
Author: Markos Chandras <email address hidden>
Date: Wed Jan 10 16:08:57 2018 +0000

    tasks: auth: Pass --unrestricted to Linux Grub2 entries

    The password protection aims to only prevent users from editing the
    menu entries not from booting the system altogether. Fedora is patching
    the 10_linux file to use '--unrestricted' so all users can boot the
    system. As such, we apply a similar patch to the rest of the distros.

    Change-Id: I1390a330ea1f0b48e71fdcb548614d5582fffbd4
    Link: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/tree/0109-Don-t-require-a-password-to-boot-entries-generated-b.patch
    Link: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation
    Closes-Bug: 1735709

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/533188

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.6

This issue was fixed in the openstack/ansible-hardening 16.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 17.0.0.0b3

This issue was fixed in the openstack/ansible-hardening 17.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (stable/pike)

Reviewed: https://review.openstack.org/533188
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=3b0004968bf08df48a3fa4921c3f2458d380fdb2
Submitter: Zuul
Branch: stable/pike

commit 3b0004968bf08df48a3fa4921c3f2458d380fdb2
Author: Markos Chandras <email address hidden>
Date: Wed Jan 10 16:08:57 2018 +0000

    tasks: auth: Pass --unrestricted to Linux Grub2 entries

    The password protection aims to only prevent users from editing the
    menu entries not from booting the system altogether. Fedora is patching
    the 10_linux file to use '--unrestricted' so all users can boot the
    system. As such, we apply a similar patch to the rest of the distros.

    Change-Id: I1390a330ea1f0b48e71fdcb548614d5582fffbd4
    Link: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/tree/0109-Don-t-require-a-password-to-boot-entries-generated-b.patch
    Link: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation
    Closes-Bug: 1735709
    (cherry picked from commit 65dce4045a75e4a8533b51ffb2d47e4dcd9114a1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.9

This issue was fixed in the openstack/ansible-hardening 16.0.9 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.