| Summary: | grub2-setpassword to manually set a boot menu password does not work, reports "/boot/efi/EFI/redhat//user.cfg: No such file or directory" | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Muhammad Tailounie <mageia> |
| Component: | RPM Packages | Assignee: | All Packagers <pkg-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | minor | ||
| Priority: | Normal | CC: | lewyssmith, ouaurelien |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | grub2-2.02.0-15.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Muhammad Tailounie
2021-01-16 20:07:33 CET
Hi, thanks for reporting this. From my own testing, I do add a grub password with drakboot under MCC. This only prevents me from editing the kernel cmd line. Have you ever tried the M8 beta 2? Why not using our tool? Severity:
normal =>
enhancement Hi; I have not tested M8 yet, and I am doing it in order to test various aspects of GRUB under Mageia :)) The fault described is legitimate on my EFI system. Clearly nobody does this, or it would have been reported before. Perhaps it works on a BIOS/MBR box.
"grub-setpassword — Generate the user.cfg file containing the hashed grub bootloader password."
$ sudo grub2-setpassword -o /boot/grub2
Enter password:
Confirm password:
/sbin/grub2-setpassword: line 123: /boot/efi/EFI/redhat//user.cfg: No such file or directory
[Luckily, no 'user.cfg' generated.]
> I modified the script on my machine so that it worked
if [ -d /sys/firmware/efi/efivars/ ]; then
grubdir=`echo "//boot/efi/EFI/redhat/" | sed 's,//*,/,g'` ######
else
grubdir=`echo "//boot//grub2" | sed 's,//*,/,g'`
fi
What exactly did you change it to?
Even on this EFI box, /boot/grub2/grub.cfg is the only occurrence of that file, so /boot/grub2/ should probably be the required path anyway.
Section Security (18) of
$ info grub2
discusses this issue. As Aurélien said, the facility is to limit the ability both to edit Grub2 menu lines; and can limit choosing individual entries per user.
From the MCC manual (worth having:
mageia-doc-mcc-common-7.3-1.mga7 + mageia-doc-mcc-<LANG>-7.3-1.mga7 )
MCC-Booting-Define how the system starts:
"In the third and last part, called Security, it is possible to set a password for the bootloader. This means a username and password will be asked at the boot time to select a booting entry or change settings. The username is "root" and the password is the one chosen here."
The fact that the first "Mageia" menu entry is not password protected could be intentional. Obviously if you wanted to protect entry to the entire system - say machine - a BIOS/firmware boot password should do that.
I shall try it via MCC to see what happens. (Luckily I have rEFInd to boot this system if it does not work).Summary:
grub2 manually setting a password does not work =>
grub2-setpassword to manually set a boot menu password does not work, reports "/boot/efi/EFI/redhat//user.cfg: No such file or directory" Looking again at /sbin/grub2-setpassword. The reported fault should happen if there is no -o parameter, a default value. It looks as if the script:
- Sets a default destn dir 'grubdir' - incorrectly? (the sed does what?)
- Sets the actual O/P directory 'OUTPUT_PATH' if given; else to default
- At the end, uses the *wrong variable*, default rather than actual.
if [ -d /sys/firmware/efi/efivars/ ]; then
grubdir=`echo "//boot/efi/EFI/redhat/" | sed 's,//*,/,g'` ###
else
grubdir=`echo "//boot//grub2" | sed 's,//*,/,g'`
fi
...
-o | --output)
OUTPUT_PATH=`argument $option "$@"`; shift ;;
...
# set user input or default path for user.cfg file
if [ -z "${OUTPUT_PATH}" ]; then
OUTPUT_PATH="${grubdir}"
fi
...
install -m 0600 /dev/null "${grubdir}/user.cfg" 2>/dev/null || :
chmod 0600 "${grubdir}/user.cfg" 2>/dev/null || :
echo "GRUB2_PASSWORD=${MYPASS}" > "${grubdir}/user.cfg"
>
> What exactly did you change it to?
> Even on this EFI box, /boot/grub2/grub.cfg is the only occurrence of that
> file, so /boot/grub2/ should probably be the required path anyway.
>
I added those lines before closing the IF condition on line 82:
else
grubdir=$OUTPUT_PATH
So the condition starting at line 78nwould be:
if [ ! -d "${OUTPUT_PATH}" ]; then
echo "${OUTPUT_PATH} does not exist."
usage
exit 2;
else
grubdir=$OUTPUT_PATH
fi
I tried setting a Grub password via MCC, and it has been a disaster. On re-booting, when trying to achieve anything: - select (Enter) any menu entry, the first included - 'e' to edit any line - leaving it to time out on the first entry it popped a sort of terminal window asking for user (root) and the defined password. After entering the latter, it waited a bit, then simply returned to the menu. I could not get beyond that. I need to go back to undo that! Am in M8 now. Assigning this re the 'grub-setpassword' script errors anyway. Globally because Grub has variable committers. Is this fault ours, or from UPSTREAM ? (In reply to Aurelien Oudelet from comment #1) > From my own testing, I do add a grub password with drakboot under MCC. > This only prevents me from editing the kernel cmd line. M7 or M8? No problems? Severity:
enhancement =>
minor Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021. Hi; using the option -o works now. Without this option it tries to update the conffiguration file on the EFI partition. I only checked M8 FWIW. Resolution:
(none) =>
FIXED |