Bug 47696 - Anaconda installs no GRUB password
Summary: Anaconda installs no GRUB password
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: anaconda
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-07-06 14:34 UTC by Steve Bonneville
Modified: 2007-04-18 16:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-07-06 15:45:39 UTC
Embargoed:


Attachments (Terms of Use)

Description Steve Bonneville 2001-07-06 14:34:35 UTC
Description of Problem:

The installer does not set a GRUB password to protect unauthorized
users from accessing command-line mode.  This is a problem because
arbitrary files on the filesystem can be viewed from GRUB's command
line with the 'cat' command.  This doesn't just expose /etc/shadow,
this exposes files that may contain clear-text passwords (example:
/etc/ldap.secret).

Steps to Reproduce:

  Given: System using GRUB as a bootloader, no password set, and
       / is on /dev/hda2 (hd0,1).  /etc/shadow is standing in for
       some arbitrary file.

  Boot the system, type <c> to get to the grub> prompt.
  grub>  cat (hd0,1)/etc/shadow

Actual Results:

  /etc/shadow is displayed

Additional Information:

  Setting a GRUB password still allows users to boot any
  predefined title entries without the password; it only
  locks out menu-editing and CLI mode.
	
  Users should be given the option at install time to set a
  GRUB password.  GRUB supports standard MD5 passwords.  I
  see some possible ways to fix this here:

  * A check box to set the GRUB password to the install-time
    root password, in the installer's bootloader selection 
    screen.
  * A text box in the bootloader selection screen to allow
    users to set an arbitrary GRUB password at install time.

Comment 1 Michael Fulbright 2001-07-06 15:45:35 UTC
We'll look at addressing this before beta 2.

Comment 2 Jeremy Katz 2001-07-10 19:30:28 UTC
You now have the option to set a grub password in gui, tui, and kickstart


Note You need to log in before you can comment on or make changes to this bug.