Ubuntu
grub package

Cannot set lock option in menu.lst without being overriden by update-grub

Bug #186623 reported by infodroid
4
Affects Status Importance Assigned to Milestone
grub (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: grub

In the menu.lst, it explains in the "password" section about using the lock command.

However, the "lock" command is not part of the automagic kernel "default options" sections. Yes, there are options for alternative and old kernels (lockalternative, lockold), but how do I lock my default kernel?

If I do set the "lock" option manually by changing the automagic kernels list and appending the "lock" keyword under the "title" of my default kernel, it does work okay.

However this is not really a solution since users are not supposed to modify the automagic kernel section. It will be overridden by update-grub the next time the kernel is upgraded and "update-grub" is run.

What is required is a feature-enhancement of update-grub in order to add the "lock" option to kernels in the "default options" section.

Apologies if there is already a way to do this. But I have been through all the docs I could find and I did not find anything suitable.

This is different from bug #21412 since I am not saying the options are not user friendly. Rather, there is no option to set this feature.

Version: Ubuntu 7.10, grub 0.97-29ubuntu4

Revision history for this message
Steve Langasek (vorlon) wrote :

Confirmed, there is no option in update-grub that allows locking of the first boot option. Though I'm not sure why you want to completely disable booting without a password, which is what this is documented as doing? For instance, that means unattended reboots are no longer possible because of the need to enter a password.

Bug #21412 has been resolved now, so at least if you do set this option by hand it won't be silently overridden by upgrades; instead it'll be noisy and you'll still have to manage your kernel configs by hand... :-)

Changed in grub:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
infodroid (infodroid) wrote :

Thanks for confirming and also pointing out that the lock option won't be silently overridden by upgrades anymore. At this point it seems the bug title is no longer relevant. Rather it could be "Cannot set lock option without messy kernel upgrade procedure".

To clarify, I am making the case for a new option called lockdefault which will do for the default kernel what the other locks for other kernels.

My thoughts are that if you are going through all the trouble of looking out for the lock option, and then bailing out of a grub update because you don't want to override it, you might as well just support the lock option in the automagic default options so that kernel upgrades aren't problematic.

Another point is that the lock option is a grub _feature_ which people do use on their default kernel, regardless of breakage and inconveniences relating to debian's update-grub. It is debatable whether such people are misguided, but they will no doubt continue to use the lock option in this way under the impression that their system is more secure that way.

I accept that people who do this are not going to have unattended upgrades. However, I did not suggest that the distro is shipped with the lock option enabled by default and thereby break the unattended upgrades. Rather, this is a feature for those who do edit the menu.lst by hand.

Revision history for this message
Steve Langasek (vorlon) wrote :

> My thoughts are that if you are going through all the trouble of looking out for the lock option, and then
> bailing out of a grub update because you don't want to override it

That's not what we're doing. The update-grub code detects any manual changes to the "automagic kernel" list; it can't discern the meaning of any particular changes, it only reports that changes are present and asks whether they should be overwritten.

> Another point is that the lock option is a grub _feature_ which people do use on their default kernel,
> regardless of breakage and inconveniences relating to debian's update-grub. It is debatable whether
> such people are misguided, but they will no doubt continue to use the lock option in this way under the
> impression that their system is more secure that way.

Well, as I can't understand why anyone would want to use lock this way, I'm less likely to try to dedicate any time to supporting it properly with the present code.

Revision history for this message
infodroid (infodroid) wrote :

@Steve

It seems you are saying you can't imagine any scenarios where someone would want to lock their default kernel. I don't think its that difficult, please try.

Here is just one. You work for a company where "official" policy dictates you may only use Windows workstations; any unauthorised software installation is forbidden.

Due to pressing business requirements, your boss gives you the go-ahead to install Ubuntu on a workstation as long as nobody finds out.

The last thing you need is for a technician to accidentally discover you have a Linux workstation on there - perhaps they were delivering some hardware update.

Having grub bork an "unauthorised" error is a good way to achieve that, there is plausible deniability.

Revision history for this message
Jan Stap (stap) wrote :

Hi infodroid, Steve,

I'm using Debian Lenny and came across the same issue. My reason for wanting to lock the default boot option is simple: I'm using a Debian system as base for a firewall. I don't want some cracker installing an exploit, requiring a reboot to be activated. Better having no unattended upgrades than unattendedly being exploited :-) Of course not all exploits require a reboot for activation, but this limits at least a subset of them.

Btw: update-grub in Lenny still silently discards any manually added lock statement in the automagic kernel section.

Regards,

Jan Stap

Revision history for this message
dino99 (9d9) wrote :

outdated report & no more maintained distro; please send a new one if that issue still exist (using ubuntu-bug)

Changed in grub (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.