Bug#808316: grub-common: Grub supports running the system even if you forget the password
Himanshu Shekhar
himanshushekharb16 at gmail.com
Fri Dec 18 15:28:01 UTC 2015
Package: grub-common
Version: 2.02~beta2-22+deb8u1
Severity: important
Dear Maintainer,
* What led up to the situation?
There are tons of articles available on the internet which detail about the
steps in case you forget the password, you can find one here
(http://www.howtogeek.com/howto/linux/reset-your-forgotten-ubuntu-password-in-2
-minutes-or-less/ ).
Articles like the above, say to add the text "mount -rw -o remount /" to the
kernel line, after pressing e in the grub menu, after which the person having
the physical possession of the system has the root access.
Physical possession is bit difficult in case of servers and desktops, but is
very easy in today's world where laptop users are also loving Linux on their
portable systems.
* What exactly did you do (or not do) that was effective (or ineffective)?
There were concerns on the internet about the bug that gave root access after
pressing backspace 28 times, which was considered threat.
However, I knew this from long and considered this method also as a security
threat.
There should be some way to give the user the method to recover the lost
password in worst cases, but prevent any such unauthorised user with physical
possession of systems gain root access within a minute and mess up everything.
-- Package-specific info:
*********************** BEGIN /proc/mounts
/dev/sda1 / ext3 rw,relatime,errors=remount-ro,data=ordered 0 0
/dev/sda5 /media/himanshu/himanshu fuseblk rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096 0 0
*********************** END /proc/mounts
*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
else
search --no-floppy --fs-uuid --set=root c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_IN
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=-1
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
else
search --no-floppy --fs-uuid --set=root c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
fi
insmod png
if background_image /usr/share/images/desktop-base/lines-grub.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c5c12eeb-c91b-4dc0-9bf0-be761e43af8f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
else
search --no-floppy --fs-uuid --set=root c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
fi
echo 'Loading Linux 3.16.0-4-amd64 ...'
linux /boot/vmlinuz-3.16.0-4-amd64 root=UUID=c5c12eeb-c91b-4dc0-9bf0-be761e43af8f ro quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-3.16.0-4-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-c5c12eeb-c91b-4dc0-9bf0-be761e43af8f' {
menuentry 'Debian GNU/Linux, with Linux 3.16.0-4-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.16.0-4-amd64-advanced-c5c12eeb-c91b-4dc0-9bf0-be761e43af8f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
else
search --no-floppy --fs-uuid --set=root c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
fi
echo 'Loading Linux 3.16.0-4-amd64 ...'
linux /boot/vmlinuz-3.16.0-4-amd64 root=UUID=c5c12eeb-c91b-4dc0-9bf0-be761e43af8f ro quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-3.16.0-4-amd64
}
menuentry 'Debian GNU/Linux, with Linux 3.16.0-4-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.16.0-4-amd64-recovery-c5c12eeb-c91b-4dc0-9bf0-be761e43af8f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
else
search --no-floppy --fs-uuid --set=root c5c12eeb-c91b-4dc0-9bf0-be761e43af8f
fi
echo 'Loading Linux 3.16.0-4-amd64 ...'
linux /boot/vmlinuz-3.16.0-4-amd64 root=UUID=c5c12eeb-c91b-4dc0-9bf0-be761e43af8f ro single
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-3.16.0-4-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'elementary OS Freya (0.3.2) (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-39-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.19.0-39-generic
}
submenu 'Advanced options for elementary OS Freya (0.3.2) (on /dev/sda3)' $menuentry_id_option 'osprober-gnulinux-advanced-150bbed2-e29e-4a96-8f9e-6e993e22df04' {
menuentry 'elementary OS (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-3.19.0-39-generic--150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-39-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.19.0-39-generic
}
menuentry 'elementary OS, with Linux 3.19.0-39-generic (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-3.19.0-39-generic--150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-39-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.19.0-39-generic
}
menuentry 'elementary OS, with Linux 3.19.0-39-generic (recovery mode) (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-3.19.0-39-generic-root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro recovery nomodeset-150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-39-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro recovery nomodeset
initrd /boot/initrd.img-3.19.0-39-generic
}
menuentry 'elementary OS, with Linux 3.19.0-33-generic (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-3.19.0-33-generic--150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-33-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.19.0-33-generic
}
menuentry 'elementary OS, with Linux 3.19.0-33-generic (recovery mode) (on /dev/sda3)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz-3.19.0-33-generic-root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro recovery nomodeset-150bbed2-e29e-4a96-8f9e-6e993e22df04' {
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 150bbed2-e29e-4a96-8f9e-6e993e22df04
else
search --no-floppy --fs-uuid --set=root 150bbed2-e29e-4a96-8f9e-6e993e22df04
fi
linux /boot/vmlinuz-3.19.0-33-generic root=UUID=150bbed2-e29e-4a96-8f9e-6e993e22df04 ro recovery nomodeset
initrd /boot/initrd.img-3.19.0-33-generic
}
}
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg
*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat
*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 9 Dec 18 20:36 ata-MATSHITA_DVD+_-RW_UJ8E2_H086_017619 -> ../../sr0
lrwxrwxrwx 1 root root 9 Dec 18 20:36 ata-ST1000LM024_HN-M101MBB_S314JA0FB14082 -> ../../sda
lrwxrwxrwx 1 root root 10 Dec 18 20:36 ata-ST1000LM024_HN-M101MBB_S314JA0FB14082-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Dec 18 20:36 ata-ST1000LM024_HN-M101MBB_S314JA0FB14082-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Dec 18 20:36 ata-ST1000LM024_HN-M101MBB_S314JA0FB14082-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Dec 18 20:36 ata-ST1000LM024_HN-M101MBB_S314JA0FB14082-part5 -> ../../sda5
lrwxrwxrwx 1 root root 9 Dec 18 20:36 wwn-0x50004cf20e9b00ff -> ../../sda
lrwxrwxrwx 1 root root 10 Dec 18 20:36 wwn-0x50004cf20e9b00ff-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Dec 18 20:36 wwn-0x50004cf20e9b00ff-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Dec 18 20:36 wwn-0x50004cf20e9b00ff-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Dec 18 20:36 wwn-0x50004cf20e9b00ff-part5 -> ../../sda5
*********************** END /dev/disk/by-id
*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 10 Dec 18 20:36 150bbed2-e29e-4a96-8f9e-6e993e22df04 -> ../../sda3
lrwxrwxrwx 1 root root 10 Dec 18 20:36 8E625C82625C7147 -> ../../sda5
lrwxrwxrwx 1 root root 10 Dec 18 20:36 8e1660b4-b7d1-4686-8939-f64d328ea13d -> ../../sda2
lrwxrwxrwx 1 root root 10 Dec 18 20:36 c5c12eeb-c91b-4dc0-9bf0-be761e43af8f -> ../../sda1
*********************** END /dev/disk/by-uuid
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages grub-common depends on:
ii gettext-base 0.19.3-2
ii libc6 2.19-18+deb8u1
ii libdevmapper1.02.1 2:1.02.90-2.2
ii libfreetype6 2.5.2-3+deb8u1
ii libfuse2 2.9.3-15+deb8u1
ii liblzma5 5.1.1alpha+20120614-2+b3
ii libpng12-0 1.2.50-2+deb8u1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages grub-common recommends:
ii os-prober 1.65
Versions of packages grub-common suggests:
ii console-setup 1.123
ii desktop-base 8.0.2
pn grub-emu <none>
pn multiboot-doc <none>
pn xorriso <none>
-- no debconf information
More information about the Pkg-grub-devel
mailing list