[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Re: Security and grub2 (was: Debian Project News - May 31st, 2010)

Dear Wolfgang,

I just got the e-mail bellow from one of our grub maintainers.  I hope
that it is of help for you.  Should you have any more questions /
concerns, feel free to contact them directly via the
pkg-grub-devel@lists.alioth.debian.org mailing list.

Best regards,

-------- Original-Nachricht --------
Betreff: Re: Security and grub2 (was: Debian Project News - May 31st, 2010)
Datum: Tue, 1 Jun 2010 21:05:41 +0100
Von: Colin Watson <cjwatson@debian.org>
An: Alexander Reichle-Schmehl <tolimar@debian.org>
CC: pkg-grub-devel@lists.alioth.debian.org

[Sorry, I'm reading this through the Alioth list archives and don't have
Wolfgang's e-mail address.  Please forward as appropriate.]

On Mon, May 31, 2010 at 03:56:43PM +0200, Alexander Reichle-Schmehl wrote:
> Hi Wolfgang,
> Am 31.05.2010 15:33, schrieb Wolfgang Gruhn:
> >> William Pitcock explained [17] that due to some limitations (for example
> >> in the size of supported kernels) the boot loader LILO [18] is about to
> >> be removed from the upcoming release of Debian 6.0 "Squeeze". He
> >> therefore asked users to test the replacement boot loader GRUB 2 [19].
> > GRUB version 2 cannot be accepted (because of security reasons) as long
> > as the PASSWORD command is ignored. Please inform the developers to use
> > GRUB version 1 instead, thanks!

This is certainly out of date.

> To the best of my knowledge, GRUB 2 supports restricting different boot
> menus in a far more flexible way than GRUB 1 did.  I found a small
> introduction at http://grub.enbug.org/Authentication, however I'm unsure
> about the plain text passwords statement and how to best integrate that
> into Debian's configuration handling.

PBKDF2 hashed passwords, as documented in the lower part of that page,
are supported in the current version in testing.  There's no
grub-mkconfig (a.k.a. update-grub) support for either plain-text or
hashed passwords, so you won't find either in /etc/default/grub, but
it's perfectly possible to add this to one of the scripts in
/etc/grub.d/ and do whatever you want.

> GRUB maintainers, could you please comment on that?

Mostly it needs some half-decent documentation, and selection of one or
two primary workflows to automate via the standard grub-mkconfig
scripts.  Saying that it "cannot be accepted (because of security
reasons)" seems like a bit of an overreaction, though.


Colin Watson                                       [cjwatson@debian.org]

Reply to: