From e346414725a70e5c74ee87ca14e580c66f517666 Mon Sep 17 00:00:00 2001 From: Alex Burmashev Date: Tue, 16 Feb 2021 11:12:12 +0100 Subject: [PATCH] templates: Disable the os-prober by default The os-prober is enabled by default what may lead to potentially dangerous use cases and borderline opening attack vectors. This patch disables the os-prober, adds warning messages and updates GRUB_DISABLE_OS_PROBER configuration option documentation. This way we make it clear that the os-prober usage is not recommended. Simplistic nature of this change allows downstream vendors, who really want os-prober to be enabled out of the box in their relevant products, easily revert to it's old behavior. Reported-by: NyankoSec (, https://twitter.com/NyankoSec), working with SSD Secure Disclosure Signed-off-by: Alex Burmashev Reviewed-by: Daniel Kiper Signed-off-by: Stefan Sørensen --- docs/grub.texi | 18 ++++++++++-------- util/grub.d/30_os-prober.in | 5 ++++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/docs/grub.texi b/docs/grub.texi index e302797..45a9f80 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -1481,10 +1481,13 @@ boot sequence. If you have problems, set this option to @samp{text} and GRUB will tell Linux to boot in normal text mode. @item GRUB_DISABLE_OS_PROBER -Normally, @command{grub-mkconfig} will try to use the external -@command{os-prober} program, if installed, to discover other operating -systems installed on the same system and generate appropriate menu entries -for them. Set this option to @samp{true} to disable this. +The @command{grub-mkconfig} has a feature to use the external +@command{os-prober} program to discover other operating systems installed on +the same machine and generate appropriate menu entries for them. It is disabled +by default since automatic and silent execution of @command{os-prober}, and +creating boot entries based on that data, is a potential attack vector. Set +this option to @samp{false} to enable this feature in the +@command{grub-mkconfig} command. @item GRUB_OS_PROBER_SKIP_LIST List of space-separated FS UUIDs of filesystems to be ignored from os-prober @@ -1812,10 +1815,9 @@ than zero; otherwise 0. @section Multi-boot manual config Currently autogenerating config files for multi-boot environments depends on -os-prober and has several shortcomings. While fixing it is scheduled for the -next release, meanwhile you can make use of the power of GRUB syntax and do it -yourself. A possible configuration is detailed here, feel free to adjust to your -needs. +os-prober and has several shortcomings. Due to that it is disabled by default. +It is advised to use the power of GRUB syntax and do it yourself. A possible +configuration is detailed here, feel free to adjust to your needs. First create a separate GRUB partition, big enough to hold GRUB. Some of the following entries show how to load OS installer images from this same partition, diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in index 515a68c..99de043 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@" . "$pkgdatadir/grub-mkconfig_lib" -if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then +if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then + gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n" exit 0 fi @@ -39,6 +40,8 @@ OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`" if [ -z "${OSPROBED}" ] ; then # empty os-prober output, nothing doing exit 0 +else + grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")" fi osx_entry() { -- 2.14.2