Hi; I think that grub2-setpassword must be modified in order to work properly. At least for Mageia. The problem in short is that; it keeps trying to save user.cfg under /boot/efi/EFI/redhat. In Mageia, we sure do not use the EFI partition except for grubx64.efi. I modified the script on my machine so that it worked, however, another problem I had, when using grub2-mkconfig; it definitly leaves Mageia entry available without asking for the password. I do not know, whether this is an intented behaviour or not, but I am just saying.. In order to reproduce the problem one can try to set a password like this: # grub2-setpassword -o /boot/grub2 This will result in an error of the path /boot/efi/EFI/redhat. Can anyone confirm this to be an bug or am I doing it wrong?
Hi, thanks for reporting this. From my own testing, I do add a grub password with drakboot under MCC. This only prevents me from editing the kernel cmd line. Have you ever tried the M8 beta 2? Why not using our tool?
Severity: normal => enhancementCC: (none) => ouaurelien
Hi; I have not tested M8 yet, and I am doing it in order to test various aspects of GRUB under Mageia :))
The fault described is legitimate on my EFI system. Clearly nobody does this, or it would have been reported before. Perhaps it works on a BIOS/MBR box. "grub-setpassword — Generate the user.cfg file containing the hashed grub bootloader password." $ sudo grub2-setpassword -o /boot/grub2 Enter password: Confirm password: /sbin/grub2-setpassword: line 123: /boot/efi/EFI/redhat//user.cfg: No such file or directory [Luckily, no 'user.cfg' generated.] > I modified the script on my machine so that it worked if [ -d /sys/firmware/efi/efivars/ ]; then grubdir=`echo "//boot/efi/EFI/redhat/" | sed 's,//*,/,g'` ###### else grubdir=`echo "//boot//grub2" | sed 's,//*,/,g'` fi What exactly did you change it to? Even on this EFI box, /boot/grub2/grub.cfg is the only occurrence of that file, so /boot/grub2/ should probably be the required path anyway. Section Security (18) of $ info grub2 discusses this issue. As Aurélien said, the facility is to limit the ability both to edit Grub2 menu lines; and can limit choosing individual entries per user. From the MCC manual (worth having: mageia-doc-mcc-common-7.3-1.mga7 + mageia-doc-mcc-<LANG>-7.3-1.mga7 ) MCC-Booting-Define how the system starts: "In the third and last part, called Security, it is possible to set a password for the bootloader. This means a username and password will be asked at the boot time to select a booting entry or change settings. The username is "root" and the password is the one chosen here." The fact that the first "Mageia" menu entry is not password protected could be intentional. Obviously if you wanted to protect entry to the entire system - say machine - a BIOS/firmware boot password should do that. I shall try it via MCC to see what happens. (Luckily I have rEFInd to boot this system if it does not work).
Summary: grub2 manually setting a password does not work => grub2-setpassword to manually set a boot menu password does not work, reports "/boot/efi/EFI/redhat//user.cfg: No such file or directory"CC: (none) => lewyssmithSource RPM: (none) => grub2-2.02.0-15.mga7.src.rpm
Looking again at /sbin/grub2-setpassword. The reported fault should happen if there is no -o parameter, a default value. It looks as if the script: - Sets a default destn dir 'grubdir' - incorrectly? (the sed does what?) - Sets the actual O/P directory 'OUTPUT_PATH' if given; else to default - At the end, uses the *wrong variable*, default rather than actual. if [ -d /sys/firmware/efi/efivars/ ]; then grubdir=`echo "//boot/efi/EFI/redhat/" | sed 's,//*,/,g'` ### else grubdir=`echo "//boot//grub2" | sed 's,//*,/,g'` fi ... -o | --output) OUTPUT_PATH=`argument $option "$@"`; shift ;; ... # set user input or default path for user.cfg file if [ -z "${OUTPUT_PATH}" ]; then OUTPUT_PATH="${grubdir}" fi ... install -m 0600 /dev/null "${grubdir}/user.cfg" 2>/dev/null || : chmod 0600 "${grubdir}/user.cfg" 2>/dev/null || : echo "GRUB2_PASSWORD=${MYPASS}" > "${grubdir}/user.cfg"
> > What exactly did you change it to? > Even on this EFI box, /boot/grub2/grub.cfg is the only occurrence of that > file, so /boot/grub2/ should probably be the required path anyway. > I added those lines before closing the IF condition on line 82: else grubdir=$OUTPUT_PATH So the condition starting at line 78nwould be: if [ ! -d "${OUTPUT_PATH}" ]; then echo "${OUTPUT_PATH} does not exist." usage exit 2; else grubdir=$OUTPUT_PATH fi
I tried setting a Grub password via MCC, and it has been a disaster. On re-booting, when trying to achieve anything: - select (Enter) any menu entry, the first included - 'e' to edit any line - leaving it to time out on the first entry it popped a sort of terminal window asking for user (root) and the defined password. After entering the latter, it waited a bit, then simply returned to the menu. I could not get beyond that. I need to go back to undo that! Am in M8 now. Assigning this re the 'grub-setpassword' script errors anyway. Globally because Grub has variable committers. Is this fault ours, or from UPSTREAM ? (In reply to Aurelien Oudelet from comment #1) > From my own testing, I do add a grub password with drakboot under MCC. > This only prevents me from editing the kernel cmd line. M7 or M8? No problems?
Severity: enhancement => minorAssignee: bugsquad => pkg-bugs
Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021.
Hi; using the option -o works now. Without this option it tries to update the conffiguration file on the EFI partition. I only checked M8 FWIW.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED