Bug#1000854: grub-common: Removal of --unrestricted prevents booting for normal users if pass is set
Matteo Settenvini
matteo.settenvini at montecristosoftware.eu
Tue Nov 30 10:10:30 GMT 2021
Package: grub-common
Version: 2.06-2
Severity: important
Dear Maintainer,
since the last update of grub-common, all users are required to input a
username and password before being able to boot the system. This is due to the
removal of the '--unrestricted' option from the CLASS variable in
/etc/grub.d/10_linux. This is NOT their known username & password, but rather
the bootloader-specific credentials.
**In turn, it results in effectively locking out users from their machine.**
This incompatible change was not listed in the changelog of the package upon
update. It affects only users for which a custom grub password was set by the
administrator (which is likely to happen in enterprise scenarios).
This is a serious problem since if remotely deployed to our machines, it would
lock out all users from next boot (by policy superuser is the only one able to
edit entries). Fortunately we caught this during internal testing.
Please consider adding back the '--unrestricted' flag, or at least prominently
warn users upon upgrade. Unfortunately, there is no easy built-in simple
configuration variable to toggle the default behavior. It might be good to add
one.
Thanks,
Matteo
PS: The culprit is:
--- /etc/grub.d/10_linux.dpkg-old 2019-12-27 00:58:08.047217825 +0100
+++ /etc/grub.d/10_linux 2021-11-29 01:10:09.000000000 +0100
@@ -31,7 +31,7 @@
export TEXTDOMAIN=grub
export TEXTDOMAINDIR="${datarootdir}/locale"
-CLASS="--class gnu-linux --class gnu --class os --unrestricted"
+CLASS="--class gnu-linux --class gnu --class os"
SUPPORTED_INITS="sysvinit:/lib/sysvinit/init systemd:/lib/systemd/systemd upstart:/sbin/upstart"
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
-- Package-specific info:
*********************** BEGIN /proc/mounts
/dev/sdb3 / btrfs rw,noatime,ssd,space_cache,subvolid=608,subvol=/rootfs 0 0
/dev/sdb3 /media/btr_pool/rootfs btrfs rw,noatime,ssd,space_cache,subvolid=5,subvol=/ 0 0
/dev/sdb2 /boot ext2 rw,relatime 0 0
/dev/sdb1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/mapper/vault0 /media/btr_pool/vault btrfs rw,nosuid,noatime,compress=lzo,ssd,space_cache,subvolid=5,subvol=/ 0 0
/dev/mapper/vault0 /home btrfs rw,nosuid,noatime,compress=lzo,ssd,space_cache,subvolid=4224,subvol=/homes 0 0
/dev/mapper/vault1 /media/backup btrfs rw,noatime,compress=lzo,space_cache,subvolid=5,subvol=/ 0 0
*********************** END /proc/mounts
*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod btrfs
set root='hd1,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt3 --hint-efi=hd1,gpt3 --hint-baremetal=ahci1,gpt3 6fd6a999-b02d-4856-8412-64dff369d45f
else
search --no-floppy --fs-uuid --set=root 6fd6a999-b02d-4856-8412-64dff369d45f
fi
font="/rootfs/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=2560x1440
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=it_IT
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod btrfs
set root='hd1,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt3 --hint-efi=hd1,gpt3 --hint-baremetal=ahci1,gpt3 6fd6a999-b02d-4856-8412-64dff369d45f
else
search --no-floppy --fs-uuid --set=root 6fd6a999-b02d-4856-8412-64dff369d45f
fi
insmod png
if background_image /rootfs/usr/share/desktop-base/homeworld-theme/grub/grub-16x9.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/08_linux_xen ###
### END /etc/grub.d/08_linux_xen ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-6fd6a999-b02d-4856-8412-64dff369d45f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd1,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2 469f76d8-6293-4fd4-ad46-180c7bd186f4
else
search --no-floppy --fs-uuid --set=root 469f76d8-6293-4fd4-ad46-180c7bd186f4
fi
echo 'Loading Linux 5.15.0-2-amd64 ...'
linux /vmlinuz-5.15.0-2-amd64 root=UUID=6fd6a999-b02d-4856-8412-64dff369d45f ro rootflags=subvol=rootfs quiet splash
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.15.0-2-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-6fd6a999-b02d-4856-8412-64dff369d45f' {
menuentry 'Debian GNU/Linux, with Linux 5.15.0-2-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-2-amd64-advanced-6fd6a999-b02d-4856-8412-64dff369d45f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd1,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2 469f76d8-6293-4fd4-ad46-180c7bd186f4
else
search --no-floppy --fs-uuid --set=root 469f76d8-6293-4fd4-ad46-180c7bd186f4
fi
echo 'Loading Linux 5.15.0-2-amd64 ...'
linux /vmlinuz-5.15.0-2-amd64 root=UUID=6fd6a999-b02d-4856-8412-64dff369d45f ro rootflags=subvol=rootfs quiet splash
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.15.0-2-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.15.0-2-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-2-amd64-recovery-6fd6a999-b02d-4856-8412-64dff369d45f' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd1,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2 469f76d8-6293-4fd4-ad46-180c7bd186f4
else
search --no-floppy --fs-uuid --set=root 469f76d8-6293-4fd4-ad46-180c7bd186f4
fi
echo 'Loading Linux 5.15.0-2-amd64 ...'
linux /vmlinuz-5.15.0-2-amd64 root=UUID=6fd6a999-b02d-4856-8412-64dff369d45f ro single rootflags=subvol=rootfs
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.15.0-2-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/sdb1)' --class windows --class os $menuentry_id_option 'osprober-efi-09CB-D388' {
insmod part_gpt
insmod fat
set root='hd1,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt1 --hint-efi=hd1,gpt1 --hint-baremetal=ahci1,gpt1 09CB-D388
else
search --no-floppy --fs-uuid --set=root 09CB-D388
fi
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
set superusers="matteo"
### PASSWORD LINE REMOVED ###
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg
*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat
*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 9 Nov 30 10:22 ata-INTEL_SSDSC2BB120G4_BTWL344206L9120LGN -> ../../sdb
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-INTEL_SSDSC2BB120G4_BTWL344206L9120LGN-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-INTEL_SSDSC2BB120G4_BTWL344206L9120LGN-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-INTEL_SSDSC2BB120G4_BTWL344206L9120LGN-part3 -> ../../sdb3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-INTEL_SSDSC2BB120G4_BTWL344206L9120LGN-part4 -> ../../sdb4
lrwxrwxrwx 1 root root 9 Nov 30 10:22 ata-Samsung_SSD_860_EVO_4TB_S3YPNB0K700833X -> ../../sde
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-Samsung_SSD_860_EVO_4TB_S3YPNB0K700833X-part1 -> ../../sde1
lrwxrwxrwx 1 root root 9 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648 -> ../../sdc
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648-part1 -> ../../sdc1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648-part2 -> ../../sdc2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648-part3 -> ../../sdc3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648-part4 -> ../../sdc4
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-SanDisk_SDSSDA240G_173118801648-part5 -> ../../sdc5
lrwxrwxrwx 1 root root 9 Nov 30 10:22 ata-WDC_WD101KFBX-68R56N0_2TKNS5DD -> ../../sdd
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-WDC_WD101KFBX-68R56N0_2TKNS5DD-part1 -> ../../sdd1
lrwxrwxrwx 1 root root 9 Nov 30 10:22 ata-WDC_WD4003FZEX-00Z4SA0_WD-WCC5DK4U1KFD -> ../../sda
lrwxrwxrwx 1 root root 10 Nov 30 10:22 ata-WDC_WD4003FZEX-00Z4SA0_WD-WCC5DK4U1KFD-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-name-swap -> ../../dm-0
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-name-vault0 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-name-vault1 -> ../../dm-1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-uuid-CRYPT-LUKS2-88d110c2c38049d7be0e8790a90e49a2-vault1 -> ../../dm-1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-uuid-CRYPT-LUKS2-e4de6f81aae24854aefb58d2dde26f23-vault0 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 dm-uuid-CRYPT-PLAIN-swap -> ../../dm-0
lrwxrwxrwx 1 root root 9 Nov 30 10:22 usb-Generic-_USB3.0_CRW-CF_MD_201407140001-0:0 -> ../../sdf
lrwxrwxrwx 1 root root 9 Nov 30 10:22 usb-Generic-_USB3.0_CRW-MS_201407140001-0:3 -> ../../sdi
lrwxrwxrwx 1 root root 9 Nov 30 10:22 usb-Generic-_USB3.0_CRW-SD_201407140001-0:2 -> ../../sdh
lrwxrwxrwx 1 root root 9 Nov 30 10:22 usb-Generic-_USB3.0_CRW-SD_MS_201407140001-0:4 -> ../../sdj
lrwxrwxrwx 1 root root 9 Nov 30 10:22 usb-Generic-_USB3.0_CRW-SM_xD_201407140001-0:1 -> ../../sdg
lrwxrwxrwx 1 root root 9 Nov 30 10:22 wwn-0x5000cca26af3b4ed -> ../../sdd
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5000cca26af3b4ed-part1 -> ../../sdd1
lrwxrwxrwx 1 root root 9 Nov 30 10:22 wwn-0x50014ee20aa26d7d -> ../../sda
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x50014ee20aa26d7d-part1 -> ../../sda1
lrwxrwxrwx 1 root root 9 Nov 30 10:22 wwn-0x5001b448b4d5c50b -> ../../sdc
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5001b448b4d5c50b-part1 -> ../../sdc1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5001b448b4d5c50b-part2 -> ../../sdc2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5001b448b4d5c50b-part3 -> ../../sdc3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5001b448b4d5c50b-part4 -> ../../sdc4
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5001b448b4d5c50b-part5 -> ../../sdc5
lrwxrwxrwx 1 root root 9 Nov 30 10:22 wwn-0x5002538e40531741 -> ../../sde
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x5002538e40531741-part1 -> ../../sde1
lrwxrwxrwx 1 root root 9 Nov 30 10:22 wwn-0x55cd2e404b50d528 -> ../../sdb
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x55cd2e404b50d528-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x55cd2e404b50d528-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x55cd2e404b50d528-part3 -> ../../sdb3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 wwn-0x55cd2e404b50d528-part4 -> ../../sdb4
*********************** END /dev/disk/by-id
*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 10 Nov 30 10:22 09CB-D388 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 1176e095-7422-4677-b6cd-f386f43f21f6 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 1911C29D28523BEC -> ../../sdd1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 403E28023E27EF98 -> ../../sdc5
lrwxrwxrwx 1 root root 10 Nov 30 10:22 4556166a-98ce-45c9-9956-7081f46947d0 -> ../../dm-1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 469f76d8-6293-4fd4-ad46-180c7bd186f4 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Nov 30 10:22 568e1406-d10e-4fd2-a05b-470ec651f311 -> ../../dm-0
lrwxrwxrwx 1 root root 10 Nov 30 10:22 6fd6a999-b02d-4856-8412-64dff369d45f -> ../../sdb3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 88d110c2-c380-49d7-be0e-8790a90e49a2 -> ../../sda1
lrwxrwxrwx 1 root root 10 Nov 30 10:22 BE36B02036AFD7A3 -> ../../sdc3
lrwxrwxrwx 1 root root 10 Nov 30 10:22 FCD893C9D8938096 -> ../../sdc4
lrwxrwxrwx 1 root root 10 Nov 30 10:22 e4de6f81-aae2-4854-aefb-58d2dde26f23 -> ../../sde1
*********************** END /dev/disk/by-uuid
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-2-amd64 (SMP w/24 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages grub-common depends on:
ii gettext-base 0.21-4
ii libc6 2.32-4
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libefiboot1 37-6
ii libefivar1 37-6
ii libfreetype6 2.11.0+dfsg-1
ii libfuse2 2.9.9-5
ii liblzma5 5.2.5-2
Versions of packages grub-common recommends:
ii os-prober 1.79
Versions of packages grub-common suggests:
ii console-setup 1.207
ii desktop-base 11.0.3
pn grub-emu <none>
ii mtools 4.0.33-1+really4.0.32-1
pn multiboot-doc <none>
pn xorriso <none>
-- Configuration Files:
/etc/grub.d/20_linux_xen [Errno 2] File o directory non esistente: '/etc/grub.d/20_linux_xen'
/etc/grub.d/40_custom changed:
exec tail -n +3 $0
set superusers="matteo"
password_pbkdf2 matteo grub.pbkdf2.sha512.10000.<omitted!>
-- no debconf information
More information about the Pkg-grub-devel
mailing list