Bug#584822: grub2: command password

Colin Watson cjwatson at debian.org
Tue Jun 8 09:24:08 UTC 2010 

severity 584822 important
retitle 584822 grub2: authentication documentation is inadequate
thanks

(CCing back to the bug, being careful to remove anything sensitive from
your mail; please keep the bug in the CC list when replying, so that
there's an audit trail.)

On Tue, Jun 08, 2010 at 12:48:59AM +0200, Artificius wrote:
> attached my /boot/grub/grub.cfg under squeeze (2010-06-06), generated by 
> update-grub and written in the MBR by grub-install '(hd0)'. 
> Unfortunately the password section is ignored without any hint 
> when starting. Is anything wrong in grub.cfg?

By default, menu entries are unrestricted.  You need to add --users ""
to the menuentry command in order to restrict them to superusers only
(this will involve editing /etc/grub.d/10_linux), or e.g. --users gnag
to restrict them to superusers or a particular user list.

I've tested this with your grub.cfg and confirmed that it works
properly.  I've also confirmed that, without modifications, your
grub.cfg restricts use of the command line to the superuser.

I've clarified the info documentation upstream to describe this
properly.  Here's the full current text:


12 Authentication and authorisation
***********************************

By default, the boot loader interface is accessible to anyone with
physical access to the console: anyone can select and edit any menu
entry, and anyone can get direct access to a GRUB shell prompt.  For
most systems, this is reasonable since anyone with direct physical
access has a variety of other ways to gain full access, and requiring
authentication at the boot loader level would only serve to make it
difficult to recover broken systems.

   However, in some environments, such as kiosks, it may be appropriate
to lock down the boot loader to require authentication before
performing certain operations.

   The `password' (*note password::) and `password_pbkdf2' (*note
password_pbkdf2::) commands can be used to define users, each of which
has an associated password.  `password' sets the password in plain
text, requiring `grub.cfg' to be secure; `password_pbkdf2' sets the
password hashed using the Password-Based Key Derivation Function (RFC
2898), requiring the use of `grub-mkpasswd-pbkdf2' (*note Invoking
grub-mkpasswd-pbkdf2::) to generate password hashes.

   In order to enable authentication support, the `superusers'
environment variable must be set to a list of usernames, separated by
any of spaces, commas, semicolons, pipes, or ampersands.  Superusers
are permitted to use the GRUB command line, edit menu entries, and
execute any menu entry.  If `superusers' is set, then use of the
command line is automatically restricted to superusers.

   Other users may be given access to specific menu entries by giving a
list of usernames (as above) using the `--users' option to the
`menuentry' command (*note menuentry::).  If the `--users' option is
not used for a menu entry, then that entry is unrestricted.

   Putting this together, a typical `grub.cfg' fragment might look like
this:

     set superusers="root"
     password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
     password user1 insecure

     menuentry "May be run by any user" {
        set root=(hd0,1)
        linux /vmlinuz
     }

     menuentry "Superusers only" --users "" {
        set root=(hd0,1)
        linux /vmlinuz single
     }

     menuentry "May be run by user1 or a superuser" --users user1 {
        set root=(hd0,2)
        chainloader +1
     }

   The `grub-mkconfig' program does not yet have built-in support for
generating configuration files with authentication.  You can use
`/etc/grub.d/40_custom' to add simple superuser authentication, by
adding `set superusers=' and `password' or `password_pbkdf2' commands.

-- 
Colin Watson                                       [cjwatson at debian.org]

More information about the Pkg-grub-devel mailing list