Bug#773138: grub upgrade makes booting require a password

Carlo Contavalli ccontavalli at gmail.com
Sun Dec 14 22:39:25 UTC 2014 

Package: grub2
Version: 2.02~beta2-17
Severity: normal

The intended behavior of the /etc/grub.d/10_linux script is to add
menu entries (menuentry) to boot the linux partitions.

Before a certain version of grub, having a password set inhibited
the ability to edit entries, and enter in advanced menus.

After a certain version, it also blocked booting any entry.

To maintain backward compatibility, and given that there is no standard
mechanism to manage passwords and authentication in /etc/default and
script, basic entries should be created with --unrestricted option, so they
can boot without a password.

This way, it is the responsibility of users of authentication to edit
scripts as necessary, and doesn't break existing systems by suddenly
requiring a password at boot (think about headless systems).

This should be as simple as changing:

  ...
  else
      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  fi

to:

  else
      echo "menuentry --unrestricted '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  fi

-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/disk/by-uuid/033b8bcc-6c1f-4262-8f11-6cbae5107772 / ext3 rw,noatime,nodiratime,errors=remount-ro,commit=600,barrier=1,data=journal 0 0
/dev/sda1 /boot ext2 ro,sync,nosuid,nodev,noexec,noatime,nodiratime,errors=continue 0 0
/dev/mapper/opt /opt ext3 rw,noatime,nodiratime,errors=remount-ro,commit=600,barrier=1,data=journal 0 0
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/device.map
(hd0)	/dev/disk/by-id/ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199
*********************** END /boot/grub/device.map

*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

terminal_input console
terminal_output console
if [ "${recordfail}" = 1 ] ; then
  set timeout=-1
else
  if [ x$feature_timeout_style = xy ] ; then
    set timeout_style=menu
    set timeout=5
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
    set timeout=5
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/01_authenticate ###
set superusers=root
### PASSWORD LINE REMOVED ###
### END /etc/grub.d/01_authenticate ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg

*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat

*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root  9 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199 -> ../../sda
lrwxrwxrwx 1 root root 10 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199-part4 -> ../../sda4
lrwxrwxrwx 1 root root 10 Dec 14 14:26 ata-WDC_WD3200BEVS-08VAT2_WD-WXF0E79WF199-part5 -> ../../sda5
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-opt -> ../../dm-9
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-root -> ../../dm-7
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-swap -> ../../dm-8
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-dumps -> ../../dm-3
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-opt -> ../../dm-4
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-pictures -> ../../dm-6
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-rescue -> ../../dm-2
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-root -> ../../dm-1
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-swap -> ../../dm-0
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-name-system-vms -> ../../dm-5
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-CRYPT-PLAIN-opt -> ../../dm-9
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-CRYPT-PLAIN-root -> ../../dm-7
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-CRYPT-PLAIN-swap -> ../../dm-8
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEt0ntXEsi8RPhIT0s5gEdV14vsPH9PWG1M -> ../../dm-1
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEt81C4GBkUV4aOuMD73gJo4bb0hONyZC3P -> ../../dm-3
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEt8us7WoVt1SKujBxRIiL7fceokdqjWYDG -> ../../dm-2
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEtKm79Ilzj1QTaIMLkmh2tSr0Wqq1jqIPB -> ../../dm-6
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEtNFAkj8kA2P3ibkYp3NGO8UTAMU0qX5EX -> ../../dm-4
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEtY3vR7wfiNoJDA0LJhdjCvEWOSiE7S2Qm -> ../../dm-5
lrwxrwxrwx 1 root root 10 Dec 14 14:26 dm-uuid-LVM-6eRjM8Rx9xRqytIbwm54PUTQlFKA4UEtZDftM3prOjDsJF6iJPV3ci1FIQNnjRCC -> ../../dm-0
lrwxrwxrwx 1 root root 10 Dec 14 14:26 lvm-pv-uuid-9GE6Cl-e5tT-ZTCB-gDME-DCuw-kKhk-xT53We -> ../../sda5
lrwxrwxrwx 1 root root  9 Dec 14 14:26 wwn-0x50014ee258a7cd66 -> ../../sda
lrwxrwxrwx 1 root root 10 Dec 14 14:26 wwn-0x50014ee258a7cd66-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Dec 14 14:26 wwn-0x50014ee258a7cd66-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Dec 14 14:26 wwn-0x50014ee258a7cd66-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Dec 14 14:26 wwn-0x50014ee258a7cd66-part4 -> ../../sda4
lrwxrwxrwx 1 root root 10 Dec 14 14:26 wwn-0x50014ee258a7cd66-part5 -> ../../sda5
*********************** END /dev/disk/by-id

*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 10 Dec 14 14:26 033b8bcc-6c1f-4262-8f11-6cbae5107772 -> ../../dm-7
lrwxrwxrwx 1 root root 10 Dec 14 14:26 09e80368-7787-470d-8946-ebeea297bac6 -> ../../dm-9
lrwxrwxrwx 1 root root 10 Dec 14 14:26 8cb89721-336c-411e-a145-dfe03f0d14e7 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Dec 14 14:26 a8c9dd64-755b-4ecc-a6be-a1b0e2cdee6f -> ../../dm-8
lrwxrwxrwx 1 root root 10 Dec 14 14:26 c53ab4a1-956d-4b60-80d8-f2f48751b94b -> ../../sda1
*********************** END /dev/disk/by-uuid

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (995, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.10-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages grub2 depends on:
ii  grub-common  2.02~beta2-17
ii  grub-pc      2.02~beta2-17

grub2 recommends no packages.

grub2 suggests no packages.

-- no debconf information

More information about the Pkg-grub-devel mailing list