authorisation not applied to submenus

Bug #718670 reported by syscon-hh on 2011-02-14
This bug affects 6 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)

Bug Description

Binary package hint: grub2

Using the password-function "pbkdf2" of grub2, two different solution depending on "sub-menu" is used (Previous Linux Versions) or not:

Using the latest Kernel -> the name of the superuser and the password will be asked correctly!

Starting the computer new and selecting the "submenu-function" you can use the

 * edit-funtion as well as to "E-key"

 * cmdline-function "C-key"

without any authorization!!

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: grub-common 1.99~rc1-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
Uname: Linux 2.6.38-3-generic x86_64
Architecture: amd64
Date: Mon Feb 14 12:18:49 2011
 PATH=(custom, no user)
SourcePackage: grub2

syscon-hh (syscon-kono) wrote :
syscon-hh (syscon-kono) on 2011-02-14
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please give the exact steps necessary to set this up and to reproduce?


Changed in grub2 (Ubuntu):
status: New → Incomplete
syscon-hh (syscon-kono) wrote :

I provided a password-file containing:

### BEGIN 01_user_list ###
set superusers='xxuser_namexx'
password_pbkdf2 xxuser_namexx grub.pbkdf2.sha512.3.DC0E03A0DB4....
### END 01_user_list ###

These file "01_user_list" will be added into the grub.cfg during "sudo update-grub".

The file /boot/grub/grub.cfg contains two linux-kernel (see attachement)

-> the up_to_date 2.6.38-3 kernel

-> the backup-kernel 2.6.37-12

The later one ist put into the brackets and will be selected inside the grub-menu via the sub-menu option!

Selecting the 2.6.38-3-kernel first, all will be working fine - asking for user_name and passwort, if you try to use the keys "C" or "E"!!

Selecting the sub-menu first and after the previous kernel is shown, you can select inside these sub-menu the keys "C" or "E" without any authorization is nessassary, to use these two options - YOU CAN MANIPULATE ALL!!!

tags: removed: unity-2d
tags: added: grub2
syscon-hh (syscon-kono) wrote :

Update and workaround:

I inserted manually into the grub.cfg between the lines:

submenu "Previous Linux versions" {
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {

submenu "Previous Linux versions" {
set superusers='xxuser_namexx'
password_pbkdf2 xxuser_namexx grub.pbkdf2.sha512.3.DC0E03A0DB4....
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {

Now I will be asked to put in the user_name and the password, if I press the key "C" or "E" respectively.

I hope it will help to find a final solution.

Marc Deslauriers (mdeslaur) wrote :

Could you please give the complete contents of 01_user_list (minus the username and password). Also, could you please attach your grub.cfg that was generated.

syscon-hh (syscon-kono) wrote :
syscon-hh (syscon-kono) wrote :
Colin Watson (cjwatson) on 2011-02-28
summary: - grub pbkdf2-function hints
+ authorisation not applied to submenus
Changed in grub2 (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → High

It is not needed to set again the user's passwords. The workaround works simply defining 'superusers' variable into submenus.


submenu "Previous Linux versions" {
set superusers='xxuser_namexx'
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {

syscon-hh (syscon-kono) wrote :

The question isn't how to do the work-around!

It must be implemented inside the script "10_linux" (or other one), so it's a fixed part independent of the users knowledge.

It is right to use/set the definition of users only!

This bug is not related with grub.d scripts nor 'Previous Linux versions' submenu. GRUB does not propagate the superusers variable to any submenu.

I think that is preferable to set a local variable by menu and submenu instead of a global variable. In Debian/Ubuntu, no superusers variable is defined by default, so the administrator must be aware to include autorization rights in all submenus.

In this case, it's needed to modify the "10_linux" script to include superusers variable into 'Previous Linux versions' submenu.

According to a Fedora bug report, see below, exporting the `superusers` variable seems to fix it.

Concretely, all you need to do in your custom `01_users` script is:
set superusers="root"
export superusers
password_pbkdf2 root ...

I've tested it on Ubuntu 12.04 LTS (with the latest updates as the date of this comment).

kaimadag (kaimadag) wrote :

I confirm this issue on 12.04.2 LTS server amd64. This affects command line and entry editing in submenu as well as protecting entries with `--users` as any entry in submenu meant to be protected is freely available.

The fix from #11 works fine, except the login/password is also required to return from submenu.

Mike Long (oreodoh) wrote :

This guide to Grub2 password protection references the fix in post #11.

set superusers="root"
export superusers
password_pbkdf2 root ...

However, in their example, instead of placing "export superusers" immediately after "set superusers", they place it after the "password/password_pbkdf2" line.

set superusers="John"
password John foo
export superusers

I'm using the latter on Ubuntu 12.04.4 LTS x86_64 just because it's from a more official source, but I'm thinking it might be better from a security perspective to follow post #11 and export superusers immediately after its been defined.

Can anyone provide any insight into what would be best practice here?

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.