Ubuntu
grub2 package

authorisation not applied to submenus

Bug #718670 reported by syscon-hh
284
This bug affects 6 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Invalid
High
Unassigned

Bug Description

Binary package hint: grub2

Using the password-function "pbkdf2" of grub2, two different solution depending on "sub-menu" is used (Previous Linux Versions) or not:

Using the latest Kernel -> the name of the superuser and the password will be asked correctly!

Starting the computer new and selecting the "submenu-function" you can use the

 * edit-funtion as well as to "E-key"

 * cmdline-function "C-key"

without any authorization!!

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: grub-common 1.99~rc1-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
Uname: Linux 2.6.38-3-generic x86_64
Architecture: amd64
Date: Mon Feb 14 12:18:49 2011
ProcEnviron:
 LANGUAGE=de_DE:de:en_GB:en
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 LC_MESSAGES=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: grub2

Revision history for this message
syscon-hh (syscon-kono) wrote :
syscon-hh (syscon-kono)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please give the exact steps necessary to set this up and to reproduce?

Thanks.

Changed in grub2 (Ubuntu):
status: New → Incomplete
Revision history for this message
syscon-hh (syscon-kono) wrote :

I provided a password-file containing:

### BEGIN 01_user_list ###
set superusers='xxuser_namexx'
password_pbkdf2 xxuser_namexx grub.pbkdf2.sha512.3.DC0E03A0DB4....
### END 01_user_list ###

These file "01_user_list" will be added into the grub.cfg during "sudo update-grub".

The file /boot/grub/grub.cfg contains two linux-kernel (see attachement)

-> the up_to_date 2.6.38-3 kernel

-> the backup-kernel 2.6.37-12

The later one ist put into the brackets and will be selected inside the grub-menu via the sub-menu option!

Selecting the 2.6.38-3-kernel first, all will be working fine - asking for user_name and passwort, if you try to use the keys "C" or "E"!!

Selecting the sub-menu first and after the previous kernel is shown, you can select inside these sub-menu the keys "C" or "E" without any authorization is nessassary, to use these two options - YOU CAN MANIPULATE ALL!!!

tags: removed: unity-2d
tags: added: grub2
Revision history for this message
syscon-hh (syscon-kono) wrote :

Update and workaround:

I inserted manually into the grub.cfg between the lines:

submenu "Previous Linux versions" {
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {

submenu "Previous Linux versions" {
set superusers='xxuser_namexx'
password_pbkdf2 xxuser_namexx grub.pbkdf2.sha512.3.DC0E03A0DB4....
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {

Now I will be asked to put in the user_name and the password, if I press the key "C" or "E" respectively.

I hope it will help to find a final solution.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Could you please give the complete contents of 01_user_list (minus the username and password). Also, could you please attach your grub.cfg that was generated.

Revision history for this message
syscon-hh (syscon-kono) wrote :
Revision history for this message
syscon-hh (syscon-kono) wrote :
Colin Watson (cjwatson)
summary: - grub pbkdf2-function hints
+ authorisation not applied to submenus
Changed in grub2 (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → High
Revision history for this message
Enrique Hernández Bello (ehbello) wrote :

It is not needed to set again the user's passwords. The workaround works simply defining 'superusers' variable into submenus.

Example:

submenu "Previous Linux versions" {
set superusers='xxuser_namexx'
menuentry 'Ubuntu, mit Linux 2.6.37-12-generic' --class ubuntu --class gnu-linux --class gnu --class os {
...

Revision history for this message
syscon-hh (syscon-kono) wrote :

The question isn't how to do the work-around!

It must be implemented inside the script "10_linux" (or other one), so it's a fixed part independent of the users knowledge.

It is right to use/set the definition of users only!

Revision history for this message
Enrique Hernández Bello (ehbello) wrote :

This bug is not related with grub.d scripts nor 'Previous Linux versions' submenu. GRUB does not propagate the superusers variable to any submenu.

I think that is preferable to set a local variable by menu and submenu instead of a global variable. In Debian/Ubuntu, no superusers variable is defined by default, so the administrator must be aware to include autorization rights in all submenus.

In this case, it's needed to modify the "10_linux" script to include superusers variable into 'Previous Linux versions' submenu.

Revision history for this message
Ciprian Dorin Craciun (ciprian-craciun) wrote :

According to a Fedora bug report, see below, exporting the `superusers` variable seems to fix it.
    https://bugzilla.redhat.com/show_bug.cgi?id=836259

Concretely, all you need to do in your custom `01_users` script is:
~~~~
set superusers="root"
export superusers
password_pbkdf2 root ...
~~~~

I've tested it on Ubuntu 12.04 LTS (with the latest updates as the date of this comment).

Revision history for this message
kaimadag (kaimadag) wrote :

I confirm this issue on 12.04.2 LTS server amd64. This affects command line and entry editing in submenu as well as protecting entries with `--users` as any entry in submenu meant to be protected is freely available.

The fix from #11 works fine, except the login/password is also required to return from submenu.

Revision history for this message
Mike Long (oreodoh) wrote :

This guide to Grub2 password protection references the fix in post #11.

https://help.ubuntu.com/community/Grub2/Passwords#Superuser_.26_Password_Designation_.28Required.29

~~~~
set superusers="root"
export superusers
password_pbkdf2 root ...
~~~~

However, in their example, instead of placing "export superusers" immediately after "set superusers", they place it after the "password/password_pbkdf2" line.

set superusers="John"
password John foo
export superusers

I'm using the latter on Ubuntu 12.04.4 LTS x86_64 just because it's from a more official source, but I'm thinking it might be better from a security perspective to follow post #11 and export superusers immediately after its been defined.

Can anyone provide any insight into what would be best practice here?

Revision history for this message
Marcus Tomlinson (marcustomlinson) wrote :

This release of Ubuntu is no longer receiving maintenance updates. If this is still an issue on a maintained version of Ubuntu please let us know.

Changed in grub2 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Marcus Tomlinson (marcustomlinson) wrote :

This issue has sat incomplete for more than 60 days now. I'm going to close it as invalid. Please feel free re-open if this is still an issue for you. Thank you.

Changed in grub2 (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.