LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: serious bug in boot sequence when fsck is required
From:	Yasha Karant <[log in to unmask]>
Reply To:	Yasha Karant <[log in to unmask]>
Date:	Wed, 1 Feb 2012 15:44:30 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (71 lines)

On 02/01/2012 03:05 PM, Nico Kadel-Garcia wrote:
> On Wed, Feb 1, 2012 at 5:36 PM, Yasha Karant<[log in to unmask]>  wrote:
>
>> Back to my primary point:  the bug in accepting the root password upon a
>> failed fsck during boot is from TUV and documented (please see a previous
>> post nominally in this thread).  Is there any fix?  I do not care if the fix
>> "breaks" TUV bug-for-bug compatibility -- is there a fix to which routine(s)
>> are causing the problem?
>
> This is, in fact, an option to configure in grub in the older LILO
> boot loader. Run the command "info grub-md5-crypt" for more
> information.
>
> This is not normally considered a "bug". The software is not doing
> anything that is not expected or undocumented. It's a *risk*, and some
> folks might think it's a security flaw. But the burden of storing and
> managing  separate password for deployed systems is not, hirsorically,
> taken up by default. It would have to be written into the OS instaler
> to apply on the existing boot loader software. So it's not set by
> default.

18 Invoking grub-md5-crypt
**************************

The program `grub-md5-crypt' encrypts a password in MD5 format.  This
is just a frontend of the grub shell (*note Invoking the grub shell::).
Passwords encrypted by this program can be used with the command
`password' (*note password::).

    `grub-md5-crypt' accepts the following options:

`--help'
      Print a summary of the command-line options and exit.

`--version'
      Print the version information and exit.

`--grub-shell=FILE'
      Use FILE as the grub shell.

I am confused.  In the past, both with LILO and GRUB without any special 
invocation, whenever fsck failed on boot or reboot, the password prompt 
would appear and the root password used during normal operation of the 
system would be accepted, allowing me to run fsck manually (actually, to 
manually invoke a script I write that invokes fsck).  I had to do no 
special configuration to grub during normal operation and prior to being 
allowed to enter the root password.

Now, with just one character (keystroke), as explained in the bug report 
previously posted to this thread, the password acceptance routine 
attempts to process the "password", fails, and loops to the same enter 
password prompt.

Are you stating that by invoking grub-md5-crypt during normal operation, 
and providing grub-md5-crypt with the plain text root password, said 
password will now be accepted rather than stopping at a single keystroke?

The only reference I could find indicated that I must modify grub.conf 
to include the stanza:

password --md5 <encrypted password>

where <encrypted password> is the actual set of characters displayed for 
the root password in the /etc/shadow file.

Does one use grub-md5-crypt, or this latter password stanza?  When did 
this change?  In EL 5, using grub, this special stanza was not required 
to the best of my observation.

Yasha Karant

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV