From owner-freebsd-bugs@FreeBSD.ORG  Tue Jul 24 12:20:10 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A23FC1065677
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Jul 2012 12:20:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id E81158FC16
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Jul 2012 12:20:09 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6OCK7XD017157
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 24 Jul 2012 12:20:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6OCK7CL017155;
	Tue, 24 Jul 2012 12:20:07 GMT (envelope-from gnats)
Resent-Date: Tue, 24 Jul 2012 12:20:07 GMT
Resent-Message-Id: <201207241220.q6OCK7CL017155@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Vitaly Zakharov <ded3axap@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 601A8106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 24 Jul 2012 12:12:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4AD6D8FC1E
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 24 Jul 2012 12:12:47 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6OCClcN001497
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2012 12:12:47 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6OCClb8001496;
	Tue, 24 Jul 2012 12:12:47 GMT (envelope-from nobody)
Message-Id: <201207241212.q6OCClb8001496@red.freebsd.org>
Date: Tue, 24 Jul 2012 12:12:47 GMT
From: Vitaly Zakharov <ded3axap@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: conf/170110: loader.conf bootmenu password prevents OS from loading
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2012 12:20:10 -0000


>Number:         170110
>Category:       conf
>Synopsis:       loader.conf  bootmenu password prevents OS from loading
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 12:20:06 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Vitaly Zakharov
>Release:        9.0-RELEASE-p3
>Organization:
Positive Technologies
>Environment:
FreeBSD FBSD_9_0_i386 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jul 24 12:31:53 MSK 2012     root@FBSD_9_0_i386:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
After adding a line 

password="supersecret"

to /boot/loader.conf OS does not booting unless correct password is given.

In older versions of FreeBSD (I was tested 4.11, 5.5, 6.4, 7.4, 8.3) this setting will protect Boot Menu to prevent setting custom options on boot, but not to completely stopping OS booting.

This problem affects only FreeBSD 9.0.

>How-To-Repeat:
Add a line:

password="supersecret"

to /boot/loader.conf and reboot the machine.

After that you cannot load OS without typing correct password.

>Fix:
Add a line "0 autoboot" as first command in section "check-password" of /boot/check-password.4th:

: check-password ( -- )

        0 autoboot

        \ Exit if a password was not set
        s" password" getenv dup -1 = if
                drop exit
        then


        begin \ Loop as long as it takes to get the right password

                s" Password: " \ Output a prompt for a password
                read           \ Read the user's input until Enter

                2dup readval readlen @ compare 0= if
                        2drop exit \ Correct password
                then

                \ Bad Password
                3000 ms
                ." loader: incorrect password" 10 emit

        again \ Not the right password; repeat
;

>Release-Note:
>Audit-Trail:
>Unformatted: