Bug 518124
Summary: | Add grub.conf password protection support to pygrub | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Issue Tracker <tao> |
Component: | xen | Assignee: | Michal Novotny <minovotn> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 5.3 | CC: | areis, jdenemar, jlieskov, jplans, minovotn, mmatsuya, mshao, rmunilla, tao |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xen-3.0.3-95.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-30 08:57:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 499522, 525142, 525740 | ||
Attachments: |
Description
Issue Tracker
2009-08-19 02:39:20 UTC
Event posted on 2009-07-31 07:34 JST by DonCoburn Description of problem: grub.conf is configured with a passwd but does not prompt for a password when attempting to edit grub at boot time. How reproducible: every time Steps to Reproduce: xm create -c guest press space bar to stop the grub count down press e to edit select the kernel line and press e Append a "1" to the end of the kernel line and press return press "b" to boot Actual results: System boot to init 1 Expected results: Pygrub prompt should request a password when you attempt to edit grub during boot. Additional info: grub.conf file contents: default=0 timeout=5 password --md5 ********************* splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux Server (2.6.18-128.el5xen) root (hd0,0) kernel /vmlinuz-2.6.18-128.el5xen ro root=/dev/vg/djc2bdb_rootvg/djc2bdb_roo otlv console=tty0 console=xvc0 initrd /initrd-2.6.18-128.el5xen.img Dom0 pkgs of interest: kernel-xen-2.6.18-128.1.6.el5 xen-3.0.3-80.el5_3.2 This event sent from IssueTracker by mmatsuya [SEG - Base OS] issue 324637 Event posted on 2009-08-13 03:38 JST by rmunilla Don, Jan emailed the package maintainer and we are waiting on a response. (He is traveling this week). It seems at some point there has been a change to GrubConf.pyto introduce a password keyword but it doesn't seem to work for pygrub. I will update the ticket again as I get more information. Best Regards, Robert This event sent from IssueTracker by mmatsuya [SEG - Base OS] issue 324637 Event posted on 2009-08-19 03:49 JST by rmunilla Email reply from Jan Mark Holzer I checked with Jeremy Katz and he agreed it would be something we could easily fix/add . If you could open an IT with US Courts and refer to Jeremy Katz that would be great. As the behaviour is different from bare metal I'd think we can quantify this as a regression rather than a feature enhancement :) escalating to SEG This event sent from IssueTracker by mmatsuya [SEG - Base OS] issue 324637 Created attachment 358100 [details]
Patch to support passwords in pyGRUB for GRUB bootloader
Hi,
this is the patch to support password in grub.conf file loaded using pyGrub. It basically checks for the presence of password line in grub.conf of the guest image and if this line is present, it supports both clear text and md5 versions of the password. Editing the grub entries and command-line are disabled when some password is set in domain's grub.conf file but the password was not entered yet. Also, new option to press 'p' in interactive pygrub has been added to allow entering the grub password. It's been tested on x86_64 with PV guests and was working fine. Also, the countdown has been stopped after key was pressed, ie. the user is probably editing the boot configuration.
Michal
Created attachment 358229 [details]
Patch to support passwords in pyGRUB for GRUB bootloader but not to break LILO (IA64) bootloader
Well, this introduced an issue with Lilo loader for Itanium systems. This is the new version with that one fixed too. It's also done to match upstream c/s 20099 (the version with this issue) and the fix for IA64 is pending in upstream patch queue.
Thanks,
Michal
Created attachment 358240 [details]
Patch to support passwords in pyGRUB for GRUB bootloader updated
Updated to catch every exception (not just KeyError, it can be AttributeError sometimes).
Created attachment 359520 [details]
New version of this patch to match bare-metal GRUB behavior
Previous versions of Xen package pygrub without this patch
didn't honor password setting in the grub.conf file. This patch is
adding this support for pygrub like it's bare-metal GRUB bootloader -
this means that pressing `p` is necessary before command-line and entry
editing is available if the password is set up in the grub.conf file.
Upstream already have this patch accepted in c/s 20099 (pygrub: Add
password support), c/s 20107 (pygrub: Fix elilo handling after password
patch) and c/s 20146 (pygrub: Match bare-metal GRUB behavior for
passwords) so this one patch basically merges those 3 patches into one
patch for RHEL-5 code base.
Hi, this patch is available in package at http://people.redhat.com/jdenemar/xen/ from what I've been told. Could you please try with this one and provide some results of testing? Thanks, Michal Fix built into xen-3.0.3-95.el5 This bug is verified in i386 and x86_64 system. But for the ia64 system, need to edit the elilo.conf file, and add the password --md5 ********************* line can not take effect for editing the pygrub. But for the comment #5, seems like do not fix in ia64. So could anyone tell me is this bug not fix in ia64? Thanks. (In reply to comment #19) > This bug is verified in i386 and x86_64 system. But for the ia64 system, need > to edit the elilo.conf file, and add the password --md5 ********************* > line can not take effect for editing the pygrub. But for the comment #5, seems > like do not fix in ia64. So could anyone tell me is this bug not fix in ia64? > Thanks. Yewei, since ia64 is using eLilo system which (from what I've been told since I am not familiar with eLilo) doesn't support password support at all, the logic for ia64 (eLilo) was preserved like this patch was not applied at all, ie. no password support for eLilo is available... Michal Verify this bug by following steps: (1) Add "password --md5 *********************" line to guest grub.conf file (2) xm create -c guest (3) press space bar to stop the grub count down, try to press e to edit select the kernel line Now the pygrub prompt will request a password when you attempt to edit grub during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and x86_64. Verify this bug by following steps: (1) Add "password --md5 *********************" line to guest grub.conf file (2) xm create -c guest (3) press space bar to stop the grub count down, try to press e to edit select the kernel line Now the pygrub prompt will request a password when you attempt to edit grub during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and x86_64. (In reply to comment #29) > Verify this bug by following steps: > (1) Add "password --md5 *********************" line to guest grub.conf file > (2) xm create -c guest > (3) press space bar to stop the grub count down, try to press e to edit select > the kernel line > > Now the pygrub prompt will request a password when you attempt to edit grub > during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and > x86_64. In fact I never did this using this way but I installed the guest with enabling password protection in Anaconda directly. But according to code, you can use crypt() function to generate the password hash to be appended here. And also, your steps are wrong. You have to create the guest using xm create -c guest and stop countdown. After that, you have to press 'p' (for password) and enter password first before trying to edit the boot command line. It won't work without pressing 'p' and entering password first. If there is no prompt to press 'p' something is wrong with your grub.conf (ie. this condition 'if not self.cf.hasPassword() or self.cf.hasPasswordAccess():' is not met). For correct setup of password in grub.conf, the prompt to press 'p' to enter password is shown... Michal Hi Michal, maybe I do not describe very clearly, but I think what we are talk are the same. In my steps 3, I mean that if I do not press 'p' it will not allow me to edit the grub file (In comment #29, there is a line like this "Now the pygrub prompt will request a password when you attempt to edit grub during boot"). Sorry for misunderstanding you. (In reply to comment #31) > Hi Michal, maybe I do not describe very clearly, but I think what we are talk > are the same. In my steps 3, I mean that if I do not press 'p' it will not > allow me to edit the grub file (In comment #29, there is a line like this "Now > the pygrub prompt will request a password when you attempt to edit grub during > boot"). Sorry for misunderstanding you. Hi Yewei, that way it seems we are talking about the same thing. To make it working with password protection enabled the steps are (to be clear): 1. xm create -c guest 2. press something to stop countdown and information to press 'p' to enter password is shown 3. press 'e' - it does nothing 4. press 'p' and provide correct password (the prompt will now change to press 'e' etc...) 5. press 'e' and edit the line Those are correct steps ;) Michal Hi Michal, compared with your steps in comment #32, we are talking the same thing indeed, I used this (In comment #29, the line "Now the pygrub prompt will request a password when you attempt to edit grub during boot") to instead of your step 4, and this make your misunderstanding, so this bug is verified. Hi Yewei, this is good. Thanks for testing. Michal An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0294.html This bug was closed during 5.5 development and it's being removed from the internal tracking bugs (which are now for 5.6). |