Bug#795810: grub-pc: passwords never allowed in config

Richard Jasmin frazzledjazz at gmail.com
Mon Aug 17 06:51:15 UTC 2015 

Package: grub-pc
Version: 2.02~beta2-26
Severity: important

I cant seem to get grub v2.02 (i386?) to take to using a password to restrict
users from editing boot options.

Im using method posted online from an ubuntu forum.The instructions seem
relevant and all of the files it references seem to be present on the system.

When I use the 00_header file, I get password and password_pbkdf2 cannot be
found errors.Otherwise I follow these instructions.

sudo grub-mkpasswd-pbkdf2
ENTER password TWICE.
(It will spew out some hash for you.)

sudo nano  /etc/grub.d/40_custom
add:
set supervisors="" <put a username here>
password_pbkdf2 <username> <hash>

sudo update-grub
sudo reboot

Problem is I can still edit the boot options, even though this way, things
succeed.Its as if no password is set.
Furthermore my setup is forced into ro mode, kind of borking everything from
working when this occurs. I have to force rw mode to properly boot the system.

I cannot follow grub-install option either.

Installing for i386-pc platform.
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible.  GRUB can only be installed
in this setup by using blocklists.  However, blocklists are UNRELIABLE and
their use is discouraged..
grub-install: error: will not proceed with blocklists.

This is an EXT4 system and its 64BIT. I had to force install in 32bit mode to
get Linux to take on this hardware.



-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/sda1 / ext4 rw,relatime 0 0
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/grub.cfg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages grub-pc depends on:
ii  debconf [debconf-2.0]  1.5.57
ii  grub-common            2.02~beta2-26
ii  grub-pc-bin            2.02~beta2-26
ii  grub2-common           2.02~beta2-26
ii  ucf                    3.0030

grub-pc recommends no packages.

grub-pc suggests no packages.

-- debconf information:
  grub-pc/install_devices_failed: false
  grub-pc/install_devices_failed_upgrade: true
  grub-pc/disk_description:
* grub-pc/install_devices: /dev/disk/by-id/ata-ST2000DX001-1CM164_Z1E7TKTH
  grub-pc/chainload_from_menu.lst: true
  grub2/force_efi_extra_removable: false
  grub-pc/kopt_extracted: false
* grub2/linux_cmdline_default: quiet
  grub-pc/timeout: 5
  grub-pc/hidden_timeout: false
  grub-pc/install_devices_empty: false
  grub-pc/mixed_legacy_and_grub2: true
  grub2/kfreebsd_cmdline:
  grub-pc/partition_description:
  grub-pc/install_devices_disks_changed:
  grub-pc/postrm_purge_boot_grub: false
  grub2/kfreebsd_cmdline_default: quiet
  grub2/device_map_regenerated:
* grub2/linux_cmdline:

More information about the Pkg-grub-devel mailing list