Bug#442443: marked as done (grub-installer: Please do not store the GRUB password in cleartext)

Your message dated Sat, 27 Oct 2007 14:02:02 +0000 with message-id <E1IlmEk-0004uo-UB@ries.debian.org> and subject line Bug#442443: fixed in grub-installer 1.27 has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.)

Debian bug tracking system administrator (administrator, Debian Bugs database)

attached mail follows:

Package: grub-installer
Severity: wishlist

(originally sent by Alex to the -boot list. As I find this an interesting suggestion, I turn this into a wishlist bug against grub-installer)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Observed with today's debian-testing-amd64-businesscard.iso. (Testing with a sid installer)

The debian installer allows the user to enter a password for GRUB to access advanced features. If the user does so, the password is included in cleartext in /boot/grub/menu.lst

GRUB has the capability to use an md5 hash of a password instead of storing the password. These are generated with the grub command md5crypt. For example, to generate a md5 hash of the password "foobar" (no quotes):

echo -e "md5crypt\nfoobar" | sudo grub --batch | grep "Encrypted" | sed -e 's/Encrypted: //g'

There may be a cleaner way to do this but the above will work. Then, in /boot/grub/menu.lst, where you would write:

password foobar

instead write (the output from the above command)

password --md5 $1$SZmo8$vxbhcjqNC4kHpqZi5n3r81

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

It is important not to store the password in cleartext for several reasons. Some users (such as myself) may use a password either similar to or identical to the root or user password on the machine for the bootloader. I boot to an encrypted root, but of course /boot is on an unencrypted volume so the password could be snooped.

I understand the rationale that on a normal system, if you have read access to menu.conf then you have write access (eg, by rooting the system) and could just clear the password anyway, but given that GRUB provides such a simple way to use a hash instead I think Debian should implement this.

As always, thanks for the wonderful, free operating system. Many of us appreciate your effort (including our entire cluster:-), and my two personal machines)

Alex Roper
UGCS Sysadmin
California Institute of Technology

-- 

attached mail follows:

Source: grub-installer Source-Version: 1.27 We believe that the bug you reported is fixed in the latest version of grub-installer, which is due to be installed in the Debian FTP archive: grub-installer_1.27.dsc to pool/main/g/grub-installer/grub-installer_1.27.dsc grub-installer_1.27.tar.gz to pool/main/g/grub-installer/grub-installer_1.27.tar.gz grub-installer_1.27_i386.udeb to pool/main/g/grub-installer/grub-installer_1.27_i386.udeb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 442443@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Otavio Salvador <otavio@debian.org> (supplier of updated grub-installer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 27 Oct 2007 11:58:04 -0200 Source: grub-installer Binary: grub-installer Architecture: source i386 Version: 1.27 Distribution: unstable Urgency: low Maintainer: Debian Install System Team <debian-boot@lists.debian.org> Changed-By: Otavio Salvador <otavio@debian.org> Description: grub-installer - Install GRUB on a hard disk (udeb) Closes: 442443 Changes: grub-installer (1.27) unstable; urgency=low . [ Romain Perier ]
* Password was sent in clear-text into menu.lst; use 'grub --batch'
with md5crypt alternative to correct it. Closes: #442443. . [ Otavio Salvador ]
* Add maintainer-script-lacks-debhelper-token to
source.lintian-overrides.
* Change grub-installer.install to avoid .svn files on rescue.d dir.
. [ Updated translations ]
* Belarusian (be.po) by Hleb Rubanau
* Bulgarian (bg.po) by Damyan Ivanov
* Czech (cs.po) by Miroslav Kure
* German (de.po) by Jens Seidel
* Esperanto (eo.po) by Serge Leblanc
* Galician (gl.po) by Jacobo Tarrio
* Hebrew (he.po) by Lior Kaplan
* Korean (ko.po) by Sunjae Park
* Dutch (nl.po) by Bart Cornelis
* Norwegian Nynorsk (nn.po) by HÃ¥vard Korsvoll
* Polish (pl.po) by Bartosz Fenski
* Romanian (ro.po) by Eddy Petrișor
* Albanian (sq.po) by Elian Myftiu
* Tamil (ta.po) by Dr.T.Vasudevan
* Thai (th.po) by Theppitak Karoonboonyanan
Files: 3d8135ede2773d947b28847ed8fc3271 796 debian-installer standard grub-installer_1.27.dsc 0ac4bdc16df47238dcbe7a609defe479 132822 debian-installer standard grub-installer_1.27.tar.gz 75d8f8e33703887f1dc7814f5a750457 111648 debian-installer standard grub-installer_1.27_i386.udeb Package-Type: udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHI0QKLqiZQEml+FURAnDIAJ9iJZ46r7g+qc8poSpS6/W88npJGQCdGmfp lR+ctuSUUthxqIgMbvbIot0= =U6Fr -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org