Major Flaw in GRUB 2.0 Addressed

GRUB 2.0, GRUB version 1.97 had a major security issue which allowed users to login by entering only a few characters of the password correctly. Only the sequence of characters had to be correct and for that matter, even one of the characters entered as password worked.

A recent bug-report from debian.org says:

GRUB accepts user input as valid password as long as user enters some first
characters of password correctly.

I.e. if /boot/grub/grub.cfg reads:

set superusers=”user1″
password user1 password1

Then user can enter “p”, “pa”, “pas” etc, and GRUB will ‘eat it’ as correct
password.

Given this, the GRUB team addressed the flaw with the release of GRUB 1.97.1 which has a fix to the problem. Apart from this, the new version of GRUB also addresses a build problem with the Mac OS X kernel, support for which was added only in the latest GRUB 2.0.

Given the hype GRUB 2.0 had created with its rewritten code, object-oriented model and support for multiple kernels, security issues like these, makes it look like a hoopla to the Linux beginners. We should know, Linux beginners are simply more interested in no-one entering their computer by typing just anything at the password prompt, than all the developments of extended file system support and kernel support.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>