Bug 518124 - Add grub.conf password protection support to pygrub
Summary: Add grub.conf password protection support to pygrub
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen
Version: 5.3
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Michal Novotny
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 499522 525142 CVE-2009-3525
TreeView+ depends on / blocked
 
Reported: 2009-08-19 02:39 UTC by Issue Tracker
Modified: 2018-10-27 15:55 UTC (History)
9 users (show)

Fixed In Version: xen-3.0.3-95.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 08:57:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to support passwords in pyGRUB for GRUB bootloader (5.52 KB, patch)
2009-08-20 14:28 UTC, Michal Novotny
no flags Details | Diff
Patch to support passwords in pyGRUB for GRUB bootloader but not to break LILO (IA64) bootloader (5.98 KB, patch)
2009-08-21 11:54 UTC, Michal Novotny
no flags Details | Diff
Patch to support passwords in pyGRUB for GRUB bootloader updated (5.96 KB, patch)
2009-08-21 13:34 UTC, Michal Novotny
no flags Details | Diff
New version of this patch to match bare-metal GRUB behavior (5.98 KB, patch)
2009-09-02 13:35 UTC, Michal Novotny
no flags Details | Diff
Add grub.conf password protection support to pygrub (7.94 KB, patch)
2009-09-14 12:21 UTC, Jiri Denemark
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0294 0 normal SHIPPED_LIVE xen bug fix and enhancement update 2010-03-29 14:20:32 UTC

Description Issue Tracker 2009-08-19 02:39:20 UTC
Escalated to Bugzilla from IssueTracker

Comment 1 Issue Tracker 2009-08-19 02:39:25 UTC
Event posted on 2009-07-31 07:34 JST by DonCoburn

Description of problem:
grub.conf is configured with a passwd but does not prompt for a password when attempting to edit grub at boot time.

How reproducible:
every time

Steps to Reproduce:
xm create -c guest
press space bar to stop the grub count down
press e to edit
select the kernel line and press e
Append a "1" to the end of the kernel line and press return
press "b" to boot

Actual results:
System boot to init 1

Expected results:
Pygrub prompt should request a password when you attempt to edit grub during boot.

Additional info:
grub.conf file contents:
default=0
timeout=5
password --md5 *********************
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-128.el5xen)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-128.el5xen ro root=/dev/vg/djc2bdb_rootvg/djc2bdb_roo
otlv console=tty0 console=xvc0
        initrd /initrd-2.6.18-128.el5xen.img

Dom0 pkgs of interest: kernel-xen-2.6.18-128.1.6.el5 xen-3.0.3-80.el5_3.2

This event sent from IssueTracker by mmatsuya  [SEG - Base OS]
 issue 324637

Comment 2 Issue Tracker 2009-08-19 02:39:28 UTC
Event posted on 2009-08-13 03:38 JST by rmunilla

Don,

Jan emailed the package maintainer and we are waiting on a response.  (He
is traveling this week).  It seems at some point there has been a change
to GrubConf.pyto introduce a password keyword but it doesn't seem to
work
for pygrub.   I will update the ticket again as I get more information.

Best Regards,
Robert


This event sent from IssueTracker by mmatsuya  [SEG - Base OS]
 issue 324637

Comment 3 Issue Tracker 2009-08-19 02:39:31 UTC
Event posted on 2009-08-19 03:49 JST by rmunilla

Email reply from Jan Mark Holzer

I checked with Jeremy Katz and he agreed it would
        be something we could easily fix/add .
        If you could open an IT with US Courts
        and refer to Jeremy Katz that would be great.
        As the behaviour is different from bare metal
        I'd think we can quantify this as a regression
        rather than a feature enhancement :)

escalating to SEG 




This event sent from IssueTracker by mmatsuya  [SEG - Base OS]
 issue 324637

Comment 4 Michal Novotny 2009-08-20 14:28:39 UTC
Created attachment 358100 [details]
Patch to support passwords in pyGRUB for GRUB bootloader

Hi,
this is the patch to support password in grub.conf file loaded using pyGrub. It basically checks for the presence of password line in grub.conf of the guest image and if this line is present, it supports both clear text and md5 versions of the password. Editing the grub entries and command-line are disabled when some password is set in domain's grub.conf file but the password was not entered yet. Also, new option to press 'p' in interactive pygrub has been added to allow entering the grub password. It's been tested on x86_64 with PV guests and was working fine. Also, the countdown has been stopped after key was pressed, ie. the user is probably editing the boot configuration.

Michal

Comment 5 Michal Novotny 2009-08-21 11:54:19 UTC
Created attachment 358229 [details]
Patch to support passwords in pyGRUB for GRUB bootloader but not to break LILO (IA64) bootloader

Well, this introduced an issue with Lilo loader for Itanium systems. This is the new version with that one fixed too. It's also done to match upstream c/s 20099 (the version with this issue) and the fix for IA64 is pending in upstream patch queue.

Thanks,
Michal

Comment 6 Michal Novotny 2009-08-21 13:34:40 UTC
Created attachment 358240 [details]
Patch to support passwords in pyGRUB for GRUB bootloader updated

Updated to catch every exception (not just KeyError, it can be AttributeError sometimes).

Comment 12 Michal Novotny 2009-09-02 13:35:15 UTC
Created attachment 359520 [details]
New version of this patch to match bare-metal GRUB behavior

Previous versions of Xen package pygrub without this patch
didn't honor password setting in the grub.conf file. This patch is
adding this support for pygrub like it's bare-metal GRUB bootloader -
this means that pressing `p` is necessary before command-line and entry
editing is available if the password is set up in the grub.conf file.

Upstream already have this patch accepted in c/s 20099 (pygrub: Add
password support), c/s 20107 (pygrub: Fix elilo handling after password
patch) and c/s 20146 (pygrub: Match bare-metal GRUB behavior for
passwords) so this one patch basically merges those 3 patches into one
patch for RHEL-5 code base.

Comment 16 Michal Novotny 2009-09-16 12:29:43 UTC
Hi,
this patch is available in package at http://people.redhat.com/jdenemar/xen/ from what I've been told.

Could you please try with this one and provide some results of testing?

Thanks,
Michal

Comment 17 Jiri Denemark 2009-09-22 09:32:27 UTC
Fix built into xen-3.0.3-95.el5

Comment 19 Yewei Shao 2009-09-28 05:34:58 UTC
This bug is verified in i386 and x86_64 system. But for the ia64 system, need to edit the elilo.conf file, and add the password --md5 ********************* line can not take effect for editing the pygrub. But for the comment #5, seems like do not fix in ia64. So could anyone tell me is this bug not fix in ia64? Thanks.

Comment 20 Michal Novotny 2009-09-28 17:38:34 UTC
(In reply to comment #19)
> This bug is verified in i386 and x86_64 system. But for the ia64 system, need
> to edit the elilo.conf file, and add the password --md5 *********************
> line can not take effect for editing the pygrub. But for the comment #5, seems
> like do not fix in ia64. So could anyone tell me is this bug not fix in ia64?
> Thanks.  

Yewei,
since ia64 is using eLilo system which (from what I've been told since I am not familiar with eLilo) doesn't support password support at all, the logic for ia64 (eLilo) was preserved like this patch was not applied at all, ie. no password support for eLilo is available...

Michal

Comment 28 Yewei Shao 2009-12-25 08:05:12 UTC
Verify this bug by following steps:
(1) Add "password --md5 *********************" line to guest grub.conf file
(2) xm create -c guest
(3) press space bar to stop the grub count down, try to press e to edit select the kernel line 

Now the pygrub prompt will request a password when you attempt to edit grub during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and x86_64.

Comment 29 Yewei Shao 2009-12-25 08:07:25 UTC
Verify this bug by following steps:
(1) Add "password --md5 *********************" line to guest grub.conf file
(2) xm create -c guest
(3) press space bar to stop the grub count down, try to press e to edit select the kernel line 

Now the pygrub prompt will request a password when you attempt to edit grub during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and x86_64.

Comment 30 Michal Novotny 2010-01-04 05:29:28 UTC
(In reply to comment #29)
> Verify this bug by following steps:
> (1) Add "password --md5 *********************" line to guest grub.conf file
> (2) xm create -c guest
> (3) press space bar to stop the grub count down, try to press e to edit select
> the kernel line 
> 
> Now the pygrub prompt will request a password when you attempt to edit grub
> during boot. So this bug is verified in xen-3.0.3-102.el5, both on i386 and
> x86_64.  

In fact I never did this using this way but I installed the guest with enabling password protection in Anaconda directly. But according to code, you can use crypt() function to generate the password hash to be appended here. And also, your steps are wrong. You have to create the guest using xm create -c guest and stop countdown. After that, you have to press 'p' (for password) and enter password first before trying to edit the boot command line. It won't work without pressing 'p' and entering password first. If there is no prompt to press 'p' something is wrong with your grub.conf (ie. this condition 'if not self.cf.hasPassword() or self.cf.hasPasswordAccess():' is not met). For correct setup of password in grub.conf, the prompt to press 'p' to enter password is shown...

Michal

Comment 31 Yewei Shao 2010-01-04 05:41:57 UTC
Hi Michal, maybe I do not describe very clearly, but I think what we are talk are the same. In my steps 3, I mean that if I do not press 'p' it will not allow me to edit the grub file (In comment #29, there is a line like this "Now the pygrub prompt will request a password when you attempt to edit grub during boot"). Sorry for misunderstanding you.

Comment 32 Michal Novotny 2010-01-04 06:04:30 UTC
(In reply to comment #31)
> Hi Michal, maybe I do not describe very clearly, but I think what we are talk
> are the same. In my steps 3, I mean that if I do not press 'p' it will not
> allow me to edit the grub file (In comment #29, there is a line like this "Now
> the pygrub prompt will request a password when you attempt to edit grub during
> boot"). Sorry for misunderstanding you.  

Hi Yewei,
that way it seems we are talking about the same thing. To make it working with password protection enabled the steps are (to be clear):
1. xm create -c guest
2. press something to stop countdown and information to press 'p' to enter password is shown
3. press 'e' - it does nothing
4. press 'p' and provide correct password (the prompt will now change to press 'e' etc...)
5. press 'e' and edit the line

Those are correct steps ;)
Michal

Comment 33 Yewei Shao 2010-01-04 06:39:15 UTC
Hi Michal, compared with your steps in comment #32, we are talking the same thing indeed, I used this (In comment #29, the line "Now the pygrub prompt will request a password when you attempt to edit grub during boot") to instead of your step 4, and this make your misunderstanding, so this bug is verified.

Comment 34 Michal Novotny 2010-01-04 06:42:34 UTC
Hi Yewei,
this is good. Thanks for testing.

Michal

Comment 36 errata-xmlrpc 2010-03-30 08:57:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0294.html

Comment 38 Paolo Bonzini 2010-04-08 15:49:20 UTC
This bug was closed during 5.5 development and it's being removed from the internal tracking bugs (which are now for 5.6).


Note You need to log in before you can comment on or make changes to this bug.