kernel security update fails if a 2nd Ubuntu on same machine
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
There is a security issue when multiple instances of Ubuntu (or other distributions) are installed on the same hardware. In my case I have 14.04 LTS and 16.04 alpha (plus some others).
After installing 14.04 LTS as the main system on an UEFI machine there is a file, </boot/
Rebooting 14.04 LTS via 16.04 alpha's GRUB2 or other means and installing a standard kernel security update does NOT make the new kernel available on subsequent reboots because even though 14.04 LTS's GRUB2 has been updated it is never run. 16.04 alpha's GRUB2 (which is ignorant of 14.04 LTS's update) is run because that is what </boot/
There are many ways to fix this problem.
1)
Make all installations maintain a link to the most recent kernel. Ubuntu does this, there are links in the root directory current and old of kernel and intrd. Make all boot loaders look for those links. If Ubuntu configured GRUB2 to look for /vmlinuz it could find the current kernel even if the kernel had been upgraded after GRUB2 was updated. Ubuntu configured GRUB2 does not do this. Of course it is impossible to get all software from all sources to "play nice", but you could make multiple installations of Ubuntu co-operate with each other.
2)
Check where </boot/
Modified </etc/kernel/
3)
Use an EFI style boot loader on EFI machines. There is an Ubuntu repository for rEFInd, which has worked well for me. This has the added advantage that if anyone makes a test installation like 16.04 alpha and then deletes it (not an unreasonable thing to do with an alpha release) then the machine does not become unbootable - because </boot/
END)
I can not see how to make an attachment to this bug report, so I will paste my zz-update-grub here as text, and ubuntu-bug did not work for me.
<cut-n-paste from terminal>
$ ubuntu-bug linux
usage: whoopsie-upload-all [-h] [-t TIMEOUT]
whoopsie-
<\cut-n-paste from terminal>
<cut-n-paste of my /etc/kernel/
#! /bin/sh
set -e
which update-grub >/dev/null 2>&1 || exit 0
if type running-
running-
exit 0
fi
set -- $DEB_MAINT_PARAMS
mode="${1#\'}"
mode="${mode%\'}"
case $0:$mode in
# Only run on postinst configure and postrm remove, to avoid wasting
# time by calling update-grub multiple times on upgrade and removal.
# Also run if we have no DEB_MAINT_PARAMS, in order to work with old
# kernel packages.
*/postinst.
if [ -e $CFG1 ]; then
# This is an EFI system.
# Does that config file point to this installation?
# Get UUID of installation that that file points to
# Is file format stable?
# Could use "sed" rather than "cut" to find UUID.
# UUID=$(sed -n -e 's/^.*\
# Get device name for this installation
# Spaces are needed, in case grub2 is on the root partition.
# Do they both have the same line in blkid?
if [ "$(blkid | grep $DEVICE)" \
fi
# Fall through, that grubx64.efi file WILL find this installation.
# Reconfigure only.
fi
# Fall through, not evan an EFI system, reconfigure only.
if [ -e $CFG2 ]; then
fi
#Fall through, is grub not installed on this system?
;;
esac
exit 0
~
~
:set nolist 1,1 All
<\cut-n-paste of my /etc/kernel/
---
ApportVersion: 2.19.4-0ubuntu2
Architecture: amd64
CurrentDesktop: XFCE
DistroRelease: Ubuntu 16.04
InstallationDate: Installed on 2016-02-03 (24 days ago)
InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160202)
Package: grub2 (not installed)
ProcVersionSign
Tags: xenial
Uname: Linux 4.4.0-2-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
---
ApportVersion: 2.19.4-0ubuntu2
Architecture: amd64
CurrentDesktop: XFCE
DistroRelease: Ubuntu 16.04
InstallationDate: Installed on 2016-02-03 (31 days ago)
InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160202)
Package: grub2 (not installed)
ProcVersionSign
Tags: xenial
Uname: Linux 4.4.0-2-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
information type: | Private Security → Public |
Changed in grub2 (Ubuntu): | |
status: | Confirmed → New |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1544809
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.