Bug#555195: grub2: password checking oddity

recoverym4n at gmail.com recoverym4n at gmail.com
Sun Nov 8 21:59:00 UTC 2009 

Package: grub2
Version: 1.97~beta3-1~bpo50+1
Severity: important


Current version of GRUB 1.97 allows to enable password-based authentication
for run-time editing menu entries, going GRUB commandline, etc.

Such configuration is described at http://grub.enbug.org/Authentication ,
and is outside of scope of this bug report.

The real thing with this password is: 

GRUB accepts user input as valid password as long as user enters some first
characters of password correctly.

I.e. if /boot/grub/grub.cfg reads:

set superusers="user1"
password user1 password1

Then user can enter "p", "pa", "pas" etc, and GRUB will 'eat it' as correct 
password. 

Considering that this 'feature' effectively lowers password length to 1 (one),
I've set severity of this bug to 'important'. Feel free to add 'security' tag,
if appropriate.

While I report this issue against backported version of GRUB2, the same 
behaviour can be seen in current sid's version: 1.97-1. This issue does not
apply to current lenny version of grub2, as password-checking functionality
unimplemented there.

-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/disk/by-uuid/53987106-e00e-44ea-977f-e29cd79f4786 / ext3 rw,nodiratime,relatime,errors=remount-ro,data=ordered 0 0
/dev/sda1 /boot ext3 ro,noatime,nodiratime,errors=continue,data=ordered 0 0
/dev/sda5 /var reiserfs rw,nosuid,relatime,notail 0 0
/dev/sda6 /usr ext3 ro,noatime,nodiratime,errors=continue,data=ordered 0 0
/dev/md1 /home ext3 rw,nosuid,relatime,errors=continue,data=ordered 0 0
/dev/md2 /srv ext3 rw,nosuid,noexec,noatime,nodiratime,errors=continue,data=ordered 0 0
/dev/sda7 /srv/schroot ext3 rw,noatime,nodiratime,errors=continue,data=ordered 0 0
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/device.map
(hd0)	/dev/sda
(hd1)	/dev/sdb
(hd2)	/dev/sdc
*********************** END /boot/grub/device.map

*********************** BEGIN /boot/grub/grub.cfg

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by /usr/sbin/grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
set default=0
insmod ext2
set root=(hd0,6)
search --no-floppy --fs-uuid --set 3cb3d7f4-eafd-421d-935a-0a5c123410ae
if loadfont /share/grub/unicode.pf2 ; then
  set gfxmode=1280x1024
  set gfxpayload=keep
  insmod gfxterm
  insmod vbe
  if terminal_output gfxterm ; then true ; else
    # For backward compatibility with versions of terminal.mod that don't
    # understand terminal_output
    terminal gfxterm
  fi
fi
set timeout=5
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/02_password ###
set superusers="user"
password user _p_a_s_s_w_o_r_d_
### END /etc/grub.d/02_password ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod ext2
set root=(hd0,1)
search --no-floppy --fs-uuid --set 6591d6b4-e7f7-44a9-9679-387fe901d251
insmod png
if background_image /grub/splash-1280x1024.png ; then
  set color_normal=white/black
  set color_highlight=magenta/black
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
menuentry "Debian GNU/Linux, Linux 2.6.26-2-amd64" {
	insmod ext2
	set root=(hd0,1)
	search --no-floppy --fs-uuid --set 6591d6b4-e7f7-44a9-9679-387fe901d251
	linux	/vmlinuz-2.6.26-2-amd64 root=UUID=53987106-e00e-44ea-977f-e29cd79f4786 ro video=vesafb,mtrr:3,ywrap quiet 
	initrd	/initrd.img-2.6.26-2-amd64
}
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_memtest86+ ###
menuentry "Memory test (memtest86+)" {
	linux	/memtest86+.bin
}
### END /etc/grub.d/20_memtest86+ ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

*********************** END /boot/grub/grub.cfg

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages grub2 depends on:
ii  grub-pc             1.97~beta3-1~bpo50+1 GRand Unified Bootloader, version 

grub2 recommends no packages.

grub2 suggests no packages.

-- debconf information:
  grub2/numbering_scheme_transition:

More information about the Pkg-grub-devel mailing list