221289 – Setting loader.conf password prevents autoboot, manual boot still okay; password leaked

Bug 221289 - Setting loader.conf password prevents autoboot, manual boot still okay; password leaked

Summary: Setting loader.conf password prevents autoboot, manual boot still okay; passw...

Status:	Closed DUPLICATE of bug 207069

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	11.1-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-06 18:53 UTC by fred
Modified:	2018-11-29 14:17 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description fred 2017-08-06 18:53:42 UTC

Hi Team

As my first bug report, I'll take the opportunity to say thanks! to everyone who contributes.

I have a fresh install of Free 11.1 in a Parallels VM on my Mac. I used ZFS auto-layout on installation; ZFS seems unrelated to the problem described here.

Problem 1: Everything is fine until I add 'password="test"' to the /boot/loader.conf. Rebooting then fails:

Loading /boot/defaults/loader.conf
can't load 'kernel'
no valid kernel found

...and then I'm dropped into the (Forth I think) shell/interpreter.

At this point, if I try to "autoboot", I get these errors again:

can't load 'kernel'
no valid kernel found

But if I simply "boot", everything proceeds correctly.

The "show" command reveals:

kernel=kernel
kernel_options=

...and the mystic variable "kernelname" is not set at this point (added to boot.c in Git revision https://github.com/freebsd/freebsd/commit/475f83c70ca2a39eacdb9dfe774681a8e8c2f305#diff-337b216f8bcf5c9351318742f496b65e).

This seems to be a problem beyond just my experience: https://forums.freebsd.org/threads/58292/. It seems to be unrelated to the previous problem described in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=170110.

I don't know if it makes a difference that line 80 of sys/boot/common/boot.c calls loadakernel(0, argc - 1, argv + 1); in the boot case, but only loadakernel(0, 0, argv); in the autoboot case? (Sorry, I don't have the understanding to try to debug further).

----

Problem 2: Once we've failed to boot, and dropped to the interpreter, a simple "show" will reveal the boot password in plain text as one of the environment variables. I suppose it would be a kludgy workaround to filter out the password variables from "command_show" in sys/boot/common/commands.c; but that would have other unintended consequences for debugging? Is it not possible to integrate a lightweight hashing function to rather hash the password in loader.conf for comparison in the boot loader?

Thanks!

Comment 1 fred 2017-08-06 18:58:36 UTC

Some additional notes:

a. If I remove the 'password="test"' from loader.conf, everything works again. So it does seem to be that when we go through the sys/boot/forth/check-password.4th code path that the environment for autoboot is subtly different.

b. Regarding problem 2, I also noticed that the /boot directory and loader.conf are world-readable by default, which leaks the boot password in plain text to any user on the system. Should I raise a separate issue for that?

Comment 2 Rado Sław 2017-10-08 08:39:15 UTC

This is tracked in bug #207069

You can try solution mentioned there https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207069#c1

It would be great if you can comment afterwards if it did solve your problems.

Comment 3 Ed Maste freebsd_committer

2018-11-29 14:17:16 UTC


*** This bug has been marked as a duplicate of bug 207069 ***