Major bug in Console Security help page (affects 9.04)

Bug #384148 reported by sasha
24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Fix Released
High
Gilbert Mendoza
Hardy
Won't Fix
High
Gilbert Mendoza

Bug Description

SRU:
The affected section was removed in Lucid as it no longer applies, but there is a patch posted in comment #4 for Hardy. The existing documentation is unclear for enabling password security in GRUB.
Impact: Adjustment to documentation means the affected and new strings to be translated.

----

Binary package hint: ubuntu-docs

Hi,

Just found few bugs in Console Security how-to located at https://help.ubuntu.com/9.04/serverguide/C/console-security.html.

Bugs are related to GRUB Password Security how-to and affect all versions of documentation.

1. First of all there should be a note that "password --md5 pass" string has not to be located under the title item but in a global area.
2. The string "# lockalternative=false" confused me, it is necessary to note that string has not to be copied without hash char. It has to be edited as "# lockalternative=true" because it as a template for grub-update scripts.
3. !!!This is a major bug!!! After editing lockalternative to true it is necessary to put "lock" parameter under the title with recover mode as follows:

title Ubuntu 9.04, kernel 2.6.xx-x-generic (recovery mode)
lock
uuid xxx
kernel /boot/vmlinuz-2.6.xx-x-generic root=UUID=xxx ro single
initrd /boot/initrd.img-2.6.xx-x-generic

4. !!!It is necessary to note, that lock parameter which has been added in the item 3 will not be modified by grub-update script(in case of kernel upgrade and other changes) because of "# lockalternative=true". Without "# lockalternative=true" single user mode will be unlocked on next grub-update.

BTW, do we need to add lock parameter each time to the new title with a new kernel?

Tags: serverguide
security vulnerability: yes → no
visibility: private → public
Jonathan Jesse (jjesse)
tags: added: serverguide
Revision history for this message
Connor Imes (ckimes) wrote :

Note that Grub2 is the default now in Karmic, and may replace Grub legacy altogether in Lucid.

Changed in ubuntu-docs (Ubuntu):
importance: Undecided → High
Micheal Harker (mh0)
Changed in ubuntu-docs (Ubuntu):
assignee: nobody → Micheal_2009 (micheal-harker)
status: New → Confirmed
Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

> 1. First of all there should be a note that "password --md5 pass" string has not to be located under the title item but in a global area.

Clarification on global section could help avoid confusion, apparently. Although the menu.lst file already has the template for passwords and text regarding it's use. I guess that would require the reader of the documentation to also read the menu.lst file they are editing.

> 2. The string "# lockalternative=false" confused me, it is necessary to note that string has not to be copied without hash char. It has to be edited as "# lockalternative=true" because it as a template for grub-update scripts.

Further clarifying to the audience that the hash tag should NOT be removed might help. Many other app configuration files require the removal of hash tags (comments) while this serves as a grub string template. The instructions do explain the result should look like the example given, which includes a hash tag exactly as it should.

Here's an excerpt from the automagic section of menu.lst:

### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers will be modified
## by the debian update-grub script except for the default options below

## DO NOT UNCOMMENT THEM, Just edit them to your needs

> 3. !!!This is a major bug!!! After editing lockalternative to true it is necessary to put "lock" parameter under the title with recover mode as follows:
(snipped)
> 4. !!!It is necessary to note, that lock parameter which has been added in the item 3 will not be modified by grub-update script(in case of kernel upgrade and other changes) because of "# lockalternative=true". Without "# lockalternative=true" single user mode will be unlocked on next grub-update.

> BTW, do we need to add lock parameter each time to the new title with a new kernel?

As for 3 and 4... The instructions are correct, however there is something missing. After making the change to the "# lockalternative" template, it is necessary to update grub for all existing and future recovery kernel entries to be locked.

sudo update-grub

As long as the lockalternative template and password have been implemented properly, every time a kernel update occurs, grub is updated and all alternative entries will be locked. When kernel updates occur, grub is updated and new kernel entries will automagically receive the lock parameter.

As Connor mentioned, as for new documentation (for version 9.10 and above), Grub 2 has since replaced Grub legacy. As of now, the process of applying passwords is now much more complicated, and does not permit any hashing of passwords. The suggestion of using grub password has always been lightweight security, because as it points out, someone could just boot the system using a LiveCD and gain access. If the passwords are in clear text... what's the point? So users should not use their favorite passphrase there, for sure. :-)

Until the ability to hash the passwords becomes available to Grub 2, I think removing the subsection altogether is probably a good idea.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Sorry for the long previous message. I was trying to be clear and hope I didn't come off rude (like I think a couple sentences may have). Apologies in advance... completely unintentional if it were interpreted that way.

As for the suggested corrections and clarification points, can we still submit patches for 8.04, 8.10, and 9.04? If so, I can add a patch to this bug for each version.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Patch for Hardy, addressing concerns in this bug report.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Patch for Intrepid, addressing concerns in this bug report.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Patch for Jaunty, addressing concerns in this bug report.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Patch for Lucid, addressing concerns in this bug report. Entire section on GRUB password protection has been removed, due to the fact that GRUB 2 still lacks sufficient password protection. It is possible, but the instructions are lengthy, and passwords are stored in clear text.

Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Patch for Karmic, addressing concerns in this bug report. Same adjustment as note above regarding Lucid.

Micheal Harker (mh0)
description: updated
summary: - Major bug in Console Security help page (affects all version)
+ Major bug in Console Security help page (affects 9.04)
Revision history for this message
Gilbert Mendoza (gmendoza) wrote :

Michael,

Not sure if you got my offline message or not. Since you're assigned to this bug, did you have any comments, suggestions or ideas regarding the patches I included?

Revision history for this message
Michael Fitzhugh (mfitzhugh) wrote : Re: [Bug 384148] Re: Major bug in Console Security help page (affects 9.04)

Hi Gilbert,

I think you might have meant this note for Michael_2009. I'm another
Michael Fitzhugh. Sorry I can't help out.

- Michael

Michael Fitzhugh
(510) 288-8371
<email address hidden>

On Mon, Jan 25, 2010 at 11:41 AM, Gilbert Mendoza <email address hidden> wrote:
> Michael,
>
> Not sure if you got my offline message or not.  Since you're assigned to
> this bug, did you have any comments, suggestions or ideas regarding the
> patches I included?
>
> --
> Major bug in Console Security help page (affects 9.04)
> https://bugs.launchpad.net/bugs/384148
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is a direct subscriber.
>
> Status in “ubuntu-docs” package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: ubuntu-docs
>
> Hi,
>
> Just found few bugs in Console Security how-to located at https://help.ubuntu.com/9.04/serverguide/C/console-security.html.
>
> Bugs are related to GRUB Password Security how-to and affect all versions of documentation.
>
> 1. First of all there should be a note that "password --md5 pass"  string has not to be located under the title item but in a global area.
> 2. The string "# lockalternative=false" confused me, it is necessary to note that string has not to be copied without hash char. It has to be edited as "# lockalternative=true" because it as a template for grub-update scripts.
> 3. !!!This is a major bug!!! After editing lockalternative to true it is necessary to put "lock" parameter under the title with recover mode as follows:
>
> title           Ubuntu 9.04, kernel 2.6.xx-x-generic (recovery mode)
> lock
> uuid            xxx
> kernel          /boot/vmlinuz-2.6.xx-x-generic root=UUID=xxx ro  single
> initrd          /boot/initrd.img-2.6.xx-x-generic
>
> 4. !!!It is necessary to note, that lock parameter which has been added in the item 3 will not be modified by grub-update script(in case of kernel upgrade and other changes) because of "# lockalternative=true". Without "# lockalternative=true" single user mode will be unlocked on next grub-update.
>
> BTW, do we need to add lock parameter each time to the new title with a new kernel?
>
>
>
>
>

Revision history for this message
Fredrik Sudmann (fsudmann) wrote :

Sorry, but this is not my cup of tea. I'm not on the bug team..

2010/1/25 Gilbert Mendoza <email address hidden>

> Michael,
>
> Not sure if you got my offline message or not. Since you're assigned to
> this bug, did you have any comments, suggestions or ideas regarding the
> patches I included?
>
> --
> Major bug in Console Security help page (affects 9.04)
> https://bugs.launchpad.net/bugs/384148
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is a direct subscriber.
>
> Status in “ubuntu-docs” package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: ubuntu-docs
>
> Hi,
>
> Just found few bugs in Console Security how-to located at
> https://help.ubuntu.com/9.04/serverguide/C/console-security.html.
>
> Bugs are related to GRUB Password Security how-to and affect all versions
> of documentation.
>
> 1. First of all there should be a note that "password --md5 pass" string
> has not to be located under the title item but in a global area.
> 2. The string "# lockalternative=false" confused me, it is necessary to
> note that string has not to be copied without hash char. It has to be edited
> as "# lockalternative=true" because it as a template for grub-update
> scripts.
> 3. !!!This is a major bug!!! After editing lockalternative to true it is
> necessary to put "lock" parameter under the title with recover mode as
> follows:
>
> title Ubuntu 9.04, kernel 2.6.xx-x-generic (recovery mode)
> lock
> uuid xxx
> kernel /boot/vmlinuz-2.6.xx-x-generic root=UUID=xxx ro single
> initrd /boot/initrd.img-2.6.xx-x-generic
>
> 4. !!!It is necessary to note, that lock parameter which has been added in
> the item 3 will not be modified by grub-update script(in case of kernel
> upgrade and other changes) because of "# lockalternative=true". Without "#
> lockalternative=true" single user mode will be unlocked on next grub-update.
>
> BTW, do we need to add lock parameter each time to the new title with a new
> kernel?
>
>
>
>
>

Revision history for this message
Micheal Harker (mh0) wrote :

I am still in the process of checking the patches. I am copying the text and
making it into a xml file to try it out on the documentation and then when I
have done it I will try it out on 9.04 system and hopefully help you release
the patch. I will give the credit to you of course!

On Mon, Jan 25, 2010 at 7:41 PM, Gilbert Mendoza <email address hidden> wrote:

> Michael,
>
> Not sure if you got my offline message or not. Since you're assigned to
> this bug, did you have any comments, suggestions or ideas regarding the
> patches I included?
>
> --
> Major bug in Console Security help page (affects 9.04)
> https://bugs.launchpad.net/bugs/384148
> You received this bug notification because you are a member of Ubuntu
> Documentation Project Team, which is a direct subscriber.
>
> Status in “ubuntu-docs” package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: ubuntu-docs
>
> Hi,
>
> Just found few bugs in Console Security how-to located at
> https://help.ubuntu.com/9.04/serverguide/C/console-security.html.
>
> Bugs are related to GRUB Password Security how-to and affect all versions
> of documentation.
>
> 1. First of all there should be a note that "password --md5 pass" string
> has not to be located under the title item but in a global area.
> 2. The string "# lockalternative=false" confused me, it is necessary to
> note that string has not to be copied without hash char. It has to be edited
> as "# lockalternative=true" because it as a template for grub-update
> scripts.
> 3. !!!This is a major bug!!! After editing lockalternative to true it is
> necessary to put "lock" parameter under the title with recover mode as
> follows:
>
> title Ubuntu 9.04, kernel 2.6.xx-x-generic (recovery mode)
> lock
> uuid xxx
> kernel /boot/vmlinuz-2.6.xx-x-generic root=UUID=xxx ro single
> initrd /boot/initrd.img-2.6.xx-x-generic
>
> 4. !!!It is necessary to note, that lock parameter which has been added in
> the item 3 will not be modified by grub-update script(in case of kernel
> upgrade and other changes) because of "# lockalternative=true". Without "#
> lockalternative=true" single user mode will be unlocked on next grub-update.
>
> BTW, do we need to add lock parameter each time to the new title with a new
> kernel?
>
>
>
>
>

Revision history for this message
Connor Imes (ckimes) wrote :

I applied Gilbert's patch for Lucid to remove this section from the docs, since the existing directions were not applicable to Grub2 and we don't have good replacement directions for Grub2. I am therefore assigning this bug to him for the record (nothing personal Micheal, we really appreciate your help and feedback on this report). When this capability becomes available, we can re-write this documentation. Patch was committed to Lucid branch, rev 458.

Changed in ubuntu-docs (Ubuntu):
assignee: Micheal_2009 (micheal-harker) → Gilbert Mendoza (gmendoza)
status: Confirmed → Fix Committed
Revision history for this message
Connor Imes (ckimes) wrote :

Subscribing ubuntu-sru for Hardy stable release update request.

description: updated
Revision history for this message
John Dong (jdong) wrote :

ack from ubuntu-sru for the SRU requests... though I cannot accept the nominations themselves.

Revision history for this message
Connor Imes (ckimes) wrote :

Fix committed to the Hardy branch (rev. 3823) for SRU, using Gilbert's patch. Thanks.

Changed in ubuntu-docs (Ubuntu Hardy):
assignee: nobody → Gilbert Mendoza (gmendoza)
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.5 KiB)

This bug was fixed in the package ubuntu-docs - 10.04.2

---------------
ubuntu-docs (10.04.2) lucid; urgency=low

  * General:
    - Fixes to scripts/fix-url.sh (including LP: #482862)
    - Fix character encoding in contributors.xml (LP: #448618)
    - Updated version in browser-startpage html files, LP: #526320
    - Refresh pot files
  * Add-applications:
    - Updates for UI changes, Phil Bull
  * Config-desktop:
    - Added topic on changing window buttons from the left, Phil Bull
  * Hardware:
    - Added mention of gsynaptics, Connor Imes, LP: #450567
  * Internet:
    - Refresh list of plugins supplied by ubuntu-restricted-extras, branch
      from Nathan Murray, LP: #504981
    - Updates to reflect that Ekiga no longer installed by default, Connor Imes,
      LP: #508572
    - Grammar fix from Alex Wardle, LP: #517776
    - Order adjustment for shares-admin usage, Alex Wardle, LP: #518119
    - Button name change for shares-admin app, Alex Wardle, LP: #518170
    - Use unlock icon in networking section, Alex Wardle, LP: #518117
    - Updated directions on changing text size and page zooming in firefox,
      Alison Rowland, LP: #512556
    - Fixed guilabel usage in modem section. Alex Wardle, LP: #521243
    - Updated button and tab names in Static Connections section,
      Alex Wardle, LP: #521508
    - Typo fix in adsl section. Alex Wardle, LP: #525349
    - Removed unused and empty basics.xml, LP: #525431
    - Minor wording update to directions for sharing folders via nautilus,
      Connor Imes, LP: #518175
    - Use 'NetworkManager' not 'Network Manager' for consistency, Connor Imes
      LP: #518107
    - Update to troubleshooting mobile devices, Connor Imes, LP: #453459
    - Adjusted description of NetworkManager applet icons, Connor Imes
      LP: #440826
    - Additions to VPN section of connecting guide, Alex Wardle, LP: #452647
    - Expanded on using config files for vpn connections, Connor Imes
    - Command line substitution for Services utility which is not in Karmic or
      Lucid, Connor Imes, LP: #518460
    - Structural and language changes + updates for UI changes, Phil Bull
  * Musicvideophotos:
    - Added section for recording and editing video, Book 'em Dano, LP: #367569
  * Newtoubuntu:
    - Complete rewrite, Matthew East
  * Printing:
    - Simple Scan replaced xsane for scanning documents, Alex Wardle, LP: #546193
  * Serverguide:
    - Rename link to serverguide in advanced-topics.xml, Gilbert
      Mendoza, LP: #505708
    - Use distro-short-codename variable for vmbuilder documentation in
      serverguide rather than static version example, Connor Imes,. LP: #509653
    - Small fixes to security chapter, Connor Imes, LP: #510703
    - Small fixes from Nathan Handler, LP: #507624
    - Configuration change for OpenLDAP, Connor Imes, LP: #511090
    - Refresh of network-config section, Gilbert Mendoza, LP: #506800
    - Update manpage links to use distro-short-codename, Connor Imes
    - Changed OpenLDAP replication to use single Provider/Consumer configuration,
      Adam Sommer
    - Removed grub-password-security section - it does not apply to Grub2,
      Gilbert Mendoza, LP: #384148
    - Refere...

Read more...

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Connor Imes (ckimes) wrote :

Hardy is EOL

Changed in ubuntu-docs (Ubuntu Hardy):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.