From nobody@FreeBSD.org  Tue Jul 24 12:12:47 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 601A8106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2012 12:12:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4AD6D8FC1E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2012 12:12:47 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6OCClcN001497
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jul 2012 12:12:47 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6OCClb8001496;
	Tue, 24 Jul 2012 12:12:47 GMT
	(envelope-from nobody)
Message-Id: <201207241212.q6OCClb8001496@red.freebsd.org>
Date: Tue, 24 Jul 2012 12:12:47 GMT
From: Vitaly Zakharov <ded3axap@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: loader.conf  bootmenu password prevents OS from loading
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         170110
>Category:       conf
>Synopsis:       loader.conf  bootmenu password prevents OS from loading
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dteske
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 24 12:20:06 UTC 2012
>Closed-Date:    Tue Apr 01 00:28:52 UTC 2014
>Last-Modified:  Tue Apr 01 00:28:52 UTC 2014
>Originator:     Vitaly Zakharov
>Release:        9.0-RELEASE-p3
>Organization:
Positive Technologies
>Environment:
FreeBSD FBSD_9_0_i386 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jul 24 12:31:53 MSK 2012     root@FBSD_9_0_i386:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
After adding a line 

password="supersecret"

to /boot/loader.conf OS does not booting unless correct password is given.

In older versions of FreeBSD (I was tested 4.11, 5.5, 6.4, 7.4, 8.3) this setting will protect Boot Menu to prevent setting custom options on boot, but not to completely stopping OS booting.

This problem affects only FreeBSD 9.0.

>How-To-Repeat:
Add a line:

password="supersecret"

to /boot/loader.conf and reboot the machine.

After that you cannot load OS without typing correct password.

>Fix:
Add a line "0 autoboot" as first command in section "check-password" of /boot/check-password.4th:

: check-password ( -- )

        0 autoboot

        \ Exit if a password was not set
        s" password" getenv dup -1 = if
                drop exit
        then


        begin \ Loop as long as it takes to get the right password

                s" Password: " \ Output a prompt for a password
                read           \ Read the user's input until Enter

                2dup readval readlen @ compare 0= if
                        2drop exit \ Correct password
                then

                \ Bad Password
                3000 ms
                ." loader: incorrect password" 10 emit

        again \ Not the right password; repeat
;

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dteske 
Responsible-Changed-By: dteske 
Responsible-Changed-When: Mon Nov 26 20:03:50 UTC 2012 
Responsible-Changed-Why:  
Bug caused by my commit SVN r222417 -- I'll fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170110 

From: Devin Teske <devin.teske@fisglobal.com>
To: <bug-followup@FreeBSD.org>
Cc: Devin Teske <dteske@FreeBSD.org>,
        Alexander Verbod
	<alexander.verbod@gmail.com>, <ded3axap@gmail.com>
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from loading
Date: Mon, 26 Nov 2012 13:40:41 -0800

 --Apple-Mail=_1B76E3B8-368C-4E82-BC58-310B382AA772
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain; charset="us-ascii"
 
 
 On Nov 26, 2012, at 9:11 AM, Alexander Verbod wrote:
 
 > Hi Devin!
 >=20
 
 Hi Alex,
 
 > I'm sorry for contacting you directly, but it looks like bug tracking sys=
 tem on FreeBSD doesn't work as expected, a bunch of bug reports not assigne=
 d... :(
 
 I've taken ownership of PR 170110 for tracking, so now you can submit follo=
 wups to the PR and I will get the mail.
 
 You did the right thing -- file the PR and then send me an e-mail so I can =
 take a look (and as I did, take ownership if appropriate).
 
 NOTE: Adding this reply to the PR audit-trail as a followup.
 
 
 > Could you please take a look at this issue:
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D170110&cat=3D
 >=20
 
 The cause for this regression is rooted in a 13-year discrepancy between th=
 e loader.conf(5) man-page and the actual functionality w/respect to this "p=
 assword" setting.
 
 loader.conf(5) states the following (both today and ever since SVN r53672, =
 made 13 years ago):
 
 	password	Provides a password to be asked by check-password before executio=
 n is
 				allowed to continue.
 
 Essentially, when I was rewriting the Forth code (for SVN r222417, made 18 =
 months ago) -- I considered the existing functionality to be broken because=
  it didn't match the documentation (read: in testing, tried as I might, I c=
 ould not reproduce what the man-page appeared to be saying [above]). The do=
 cumentation leads one to believe that when a password is set, that password=
  must be entered before anything can continue (booting implied[?]).
 
 So, when I was unable to replicate the documented functionality (thinking i=
 t should stop even boot), I changed the code to match the documentation (an=
 d harmony was achieved -- or so I thought).
 
 It's clear to me now that the functionality wasn't broken but instead the d=
 ocumentation was inappropriate.
 
 A more appropriate description of the password variable in loader.conf(5) f=
 or the past 13 years might instead have been:
 
 	password	Sets a password to be required if autoboot fails for any reason.
 
 Nonetheless, I agree that this regression needs to be addressed to prevent =
 POLA. Someone might be astonished if they are using the password feature in=
  8.x or lower and then they upgrade to 9.0 or 9.1 to find that their system=
  now requires the password to boot (versus only requiring the password if o=
 ne wants to make changes by attempting to interrupt the autoboot process).
 
 The original functionality (despite being badly documented in loader.conf(5=
 )) will need to be restored (and loader.conf(5) updated in the process).
 
 
 
 > There is already a fix supplied.
 
 Thanks, I'll have a look. In addition, man-page updates to check-password.4=
 th(8) and loader.conf(5) will be required.
 
 I'm also going to take this opportunity to improve the code a bit if/where =
 possible.
 
 Given the nature of the discrepancy that caused this regression, I'd like t=
 o take this chance to provide both functionalities as I can see value in bo=
 th meanings (regardless of whose interpretation is correct).=20
 
 NOTE: One use-case for requiring a password to boot (versus just protecting=
  boot options) is protecting a PXE server that you either want to make priv=
 ate or as a method of preventing accidental destruction of a machine by ful=
 ly-automated PXE-based installation scripts (much hardware today requiring =
 only a single key at boot time to boot from the network -- F12 for example =
 -- we sometimes want to prevent access to network boot without password).
 
 
 > Password in loader.conf works for decades and now it is broken.
 
 13 years to be exact (SVN r53672), and inappropriately documented in loader=
 .conf(5) for just as long.
 
 Given the situation, I think the proper approach would be to (in order):
 
 1. Restore original meaning of password variable (ask for password only if =
 autoboot fails)
 2. Update loader.conf(5) to be [more] accurate
 3. Create a new variable to track the alternative functionality of not allo=
 wing boot to continue until password is entered (I like "boot_password")
 4. Update both loader.conf(5) and check-password.4th(8) manuals
 
 
 > Hope it would be patched before 9.1 release.
 >=20
 
 I'm afraid this report comes much too late for a fix to be included in 9.1-=
 R (*wink*wink*).
 --=20
 Devin
 
 _____________
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.
 
 --Apple-Mail=_1B76E3B8-368C-4E82-BC58-310B382AA772
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/html; charset="us-ascii"
 
 <html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:=
  space; -webkit-line-break: after-white-space; "><div><br></div><div><div>O=
 n Nov 26, 2012, at 9:11 AM, Alexander Verbod wrote:</div><br class=3D"Apple=
 -interchange-newline"><blockquote type=3D"cite"><div>Hi Devin!<br><br></div=
 ></blockquote><div><br></div><div>Hi Alex,</div><div><br></div><div><blockq=
 uote type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collaps=
 e: separate; font-family: Helvetica; font-style: normal; font-variant: norm=
 al; font-weight: normal; letter-spacing: normal; line-height: normal; orpha=
 ns: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; wh=
 ite-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-=
 spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decoration=
 s-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-widt=
 h: 0px; font-size: medium; ">I'm sorry for contacting you directly, but it =
 looks like bug tracking system on FreeBSD doesn't work as expected, a bunch=
  of bug reports not assigned... :(</span></blockquote><div><span class=3D"A=
 pple-style-span" style=3D"border-collapse: separate; font-family: Helvetica=
 ; font-style: normal; font-variant: normal; font-weight: normal; letter-spa=
 cing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; te=
 xt-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-=
 spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertic=
 al-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-siz=
 e-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><br></=
 span></div><div><span class=3D"Apple-style-span" style=3D"border-collapse: =
 separate; font-family: Helvetica; font-style: normal; font-variant: normal;=
  font-weight: normal; letter-spacing: normal; line-height: normal; orphans:=
  2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white=
 -space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spa=
 cing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-i=
 n-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: =
 0px; font-size: medium; "><div><div>I've taken ownership of PR 170110 for t=
 racking, so now you can submit followups to the PR and I will get the mail.=
 </div><div><br></div><div>You did the right thing -- file the PR and then s=
 end me an e-mail so I can take a look (and as I did, take ownership if appr=
 opriate).</div></div></span></div></div><div><br></div><div>NOTE: Adding th=
 is reply to the PR audit-trail as a followup.</div><div><br></div><div><br>=
 </div><blockquote type=3D"cite"><div>Could you please take a look at this i=
 ssue:<br><a href=3D"http://www.freebsd.org/cgi/query-pr.cgi?pr=3D170110&amp=
 ;cat=3D">http://www.freebsd.org/cgi/query-pr.cgi?pr=3D170110&amp;cat=3D</a>=
 <br><br></div></blockquote><div><br></div><div>The cause for this regressio=
 n is rooted in a 13-year discrepancy between the loader.conf(5) man-page&nb=
 sp;and the actual functionality&nbsp;w/respect to this "password" setting.<=
 /div><div><br></div><div>loader.conf(5) states the following (both today an=
 d ever since SVN r53672, made 13 years ago):</div><div><br></div><div><span=
  class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>password<span c=
 lass=3D"Apple-tab-span" style=3D"white-space:pre">	</span>Provides a passwo=
 rd to be asked by check-password before execution is</div><div><span class=
 =3D"Apple-tab-span" style=3D"white-space:pre">				</span>allowed to continu=
 e.</div><div><br></div><div>Essentially, when I was rewriting the Forth cod=
 e (for SVN r222417, made 18 months ago) -- I considered the existing functi=
 onality to be broken because it didn't match the documentation (read: in te=
 sting, tried as I might, I could not reproduce what the man-page appeared t=
 o be saying [above]). The documentation leads one to believe that when a pa=
 ssword is set, that password must be entered before anything can continue (=
 booting implied[?]).</div><div><br></div><div>So, when I was unable to repl=
 icate the documented functionality (thinking it should stop even boot), I c=
 hanged the code to match the documentation (and harmony was achieved -- or =
 so I thought).</div><div><br></div><div>It's clear to me now that the funct=
 ionality wasn't broken but instead the documentation was inappropriate.</di=
 v><div><br></div><div>A more appropriate description of the password variab=
 le in loader.conf(5) for the past 13 years might instead have been:</div><d=
 iv><br></div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">=
 	</span>password<span class=3D"Apple-tab-span" style=3D"white-space:pre">	<=
 /span>Sets&nbsp;a password to be required if autoboot&nbsp;fails for any re=
 ason.</div><div><br></div><div>Nonetheless, I agree that this regression ne=
 eds to be addressed to prevent POLA. Someone might be astonished if they ar=
 e using the password feature in 8.x or lower and then they upgrade to 9.0 o=
 r 9.1 to find that their system now requires the password to boot (versus o=
 nly requiring the password if one wants to make changes by attempting to in=
 terrupt the autoboot process).</div><div><br></div><div>The original functi=
 onality (despite being badly documented in loader.conf(5)) will need to be =
 restored (and loader.conf(5) updated in the process).</div><div><br></div><=
 div><br></div><br><blockquote type=3D"cite"><div>There is already a fix sup=
 plied.</div></blockquote><div><br></div><div>Thanks, I'll have a look. In a=
 ddition, man-page updates to check-password.4th(8) and loader.conf(5) will =
 be required.</div><div><br></div><div>I'm also going to take this opportuni=
 ty to improve the code a bit if/where possible.</div><div><br></div><div>Gi=
 ven the nature of the discrepancy that caused this regression, I'd like to =
 take this chance to provide both functionalities as I can see value in both=
  meanings (regardless of whose interpretation is correct).&nbsp;</div><div>=
 <br></div><div>NOTE: One use-case for requiring a password to boot (versus =
 just protecting boot options) is protecting a PXE server that you either wa=
 nt to make private or as a method of preventing accidental destruction of a=
  machine by fully-automated PXE-based installation scripts (much hardware t=
 oday requiring only a single key at boot time to boot from the network -- F=
 12 for example -- we sometimes want to prevent access to network boot witho=
 ut password).</div><div><br></div><br><blockquote type=3D"cite"><div> Passw=
 ord in loader.conf works for decades and now it is broken.</div></blockquot=
 e><div><br></div><div>13 years to be exact (SVN r53672), and inappropriatel=
 y documented in loader.conf(5) for just as long.</div><div><br></div><div>G=
 iven the situation, I think the proper approach would be to (in order):</di=
 v><div><br></div><div>1. Restore original meaning of password variable (ask=
  for password only if autoboot fails)</div><div>2. Update loader.conf(5) to=
  be [more] accurate</div><div>3. Create a new variable to track the alterna=
 tive functionality of not allowing boot to continue until password is enter=
 ed (I like "boot_password")</div><div>4. Update both loader.conf(5) and che=
 ck-password.4th(8) manuals</div><div><br></div><br><blockquote type=3D"cite=
 "><div> Hope it would be patched before 9.1 release.<br><br></div></blockqu=
 ote><div><br></div><div>I'm afraid this report comes much too late for a fi=
 x to be included in 9.1-R (*wink*wink*).</div><div>--&nbsp;</div><div>Devin=
 </div></div>
 <DIV>
 _____________<BR>
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.<BR>
 </DIV></body></html>
 
 --Apple-Mail=_1B76E3B8-368C-4E82-BC58-310B382AA772--

From: Alexander Verbod <alexander.verbod@gmail.com>
To: bug-followup@FreeBSD.org
Cc: Devin Teske <dteske@freebsd.org>, ded3axap@gmail.com
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from
 loading
Date: Tue, 27 Nov 2012 02:14:13 -0500

 This is a multi-part message in MIME format.
 --------------050601030602060600060201
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 On 11/26/2012 4:40 PM, Devin Teske wrote:
 >
 > I've taken ownership of PR 170110 for tracking, so now you can submit
 > followups to the PR and I will get the mail.
 
 I really appreciate that!
 
 
 >
 > The cause for this regression is rooted in a 13-year discrepancy between
 > the loader.conf(5) man-page and the actual functionality w/respect to
 > this "password" setting.
 >
 
 I agree that loader.conf(5) man-page is kind of confusing about this 
 feature.
 
 
 >
 > Essentially, when I was rewriting the Forth code (for SVN r222417, made
 > 18 months ago) -- I considered the existing functionality to be broken
 > because it didn't match the documentation (read: in testing, tried as I
 > might, I could not reproduce what the man-page appeared to be saying
 > [above]). The documentation leads one to believe that when a password is
 > set, that password must be entered before anything can continue (booting
 > implied[?]).
 
 IMHO broken documentation, it is questionable that it will hart someone, 
 but in case of broken functionality this will broke some systems for 
 sure. :)
 
 This functionality is in use for many years and is very handy.
 For example: dedicated server on collocation where a box itself 
 protected physically by a metal jail and only keyboard exposed outside. 
 In case if one have some bad/pry "neighbor" - this feature will protect 
 boot menu.
 
 Another example, - ask some technician on another side of the globe to 
 make some basic operation from the boot menu without granting him  whole 
 access and disclosing root's password...
 
 One more example, - insider in an organization has user access to a 
 server and can prepare and upload some files, then when nobody can see 
 him, reboot a server and boot it with prepared/infected kernel module(s) 
 or gain read access to some area where he shouldn't be...
 
 Well there could be a different workflow, but in any case 
 loader.conf->password protect perfectly operations/commands in the boot 
 menu that can disclose internal server's structure and most importantly 
 - gives real access to the files(!!!) and IMHO must be used anywhere 
 where server can be accessed via console by unauthorized people.
 There's a few commands in the boot menu, but "more, load, show, 
 boot-conf..." is enough to make some malicious actions, so it MUST be 
 protected.
 
 >
 > So, when I was unable to replicate the documented functionality
 > (thinking it should stop even boot), I changed the code to match the
 > documentation (and harmony was achieved -- or so I thought).
 Documentation is a virtual thing, but functionality is real :(
 
 A short story: (that actually bring me here)
 We have some test facility that virtually allocated on VPS(virtual 
 private server) with a provider that doesn't allow to use custom 
 installation, so in case when a virtual machine is somehow broken - the 
 only way to back it to live - it is reset the whole remote virtual 
 machine, include virtual harddrive, or in another word, if one can't 
 repair a system over KVM(or VNC) via primary console - the whole system 
 need to be erased(!!!) and installed from scratch.
 To test software under FreeBSD 9.1RC3 we did upgrade and applied our 
 automated script that tight security settings and ...
 
 The code that perfectly worked before FreeBSD 9.0:
 echo "-m" >/boot.config;
 echo -e "\npassword=\"some_password\"\n" >>/boot.loader.local
 
 will effectively lock-down VPS forever... include all accumulated data 
 inside that test virtual machine - no access over console, neither over 
 network.
 
 So, IMHO it is much more safer to change documentation in this case 
 instead of functionality that is actually very usable. I believe, I 
 personally get this information first from some book about FreeBSD security.
 
 >
 > It's clear to me now that the functionality wasn't broken but instead
 > the documentation was inappropriate.
 
 Yes, it is !
 
 
 >
 > Nonetheless, I agree that this regression needs to be addressed to
 > prevent POLA. Someone might be astonished if they are using the password
 > feature in 8.x or lower and then they upgrade to 9.0 or 9.1 to find that
 > their system now requires the password to boot (versus only requiring
 > the password if one wants to make changes by attempting to interrupt the
 > autoboot process).
 
 Thank you for understanding the issue !!!
 I wish that PHP developers would respect POLA issues as you do.
 
 
 > I'm also going to take this opportunity to improve the code a bit
 > if/where possible.
 
 May be not an appropriate place to ask about this, but from security 
 point of view, IMHO it would be a great improvement if password that 
 protect boot menu will be kept as some hash instead of clear text.
 
 >
 > Given the nature of the discrepancy that caused this regression, I'd
 > like to take this chance to provide both functionalities as I can see
 > value in both meanings (regardless of whose interpretation is correct).
 >
 > NOTE: One use-case for requiring a password to boot (versus just
 > protecting boot options) is protecting a PXE server that you either want
 > to make private or as a method of preventing accidental destruction of a
 > machine by fully-automated PXE-based installation scripts (much hardware
 > today requiring only a single key at boot time to boot from the network
 > -- F12 for example -- we sometimes want to prevent access to network
 > boot without password).
 
 This would be handy to have both functionalities, I think this 
 feature(lock autoboot) can find its place in embedded hardware, 
 especially with upcoming ARM support, in addition that you described 
 with PXE server.
 
 
 > Given the situation, I think the proper approach would be to (in order):
 >
 > 1. Restore original meaning of password variable (ask for password only
 > if autoboot fails)
 
 Let me add: "ask for the password only if autoboot fails or if any key 
 was pressed during countdown period specified by 'autoboot_delay' variable"
 Attached patch will restore exactly the same functionality as it works 
 for 13 years(bad 13 number I guess :) ) and credit for the patch is 
 going to the original PR submitter
 
 
 > 2. Update loader.conf(5) to be [more] accurate
 
 Yes, something like below would be more understandable than it is right 
 now:
 "[password] Protect boot menu with a password without interrupting auto 
 boot process.
 The password should be in clear text format.
 If a password is set, boot menu will not appear until any key is pressed 
 during countdown period specified by 'autoboot_delay' variable or 
 autoboot process fails. In both cases user should provide specified 
 password to be able to access boot menu."
 
 > 3. Create a new variable to track the alternative functionality of not
 > allowing boot to continue until password is entered (I like "boot_password")
 Base on our experience :) I would call it:  "bootlock_password" or 
 "lockdown_password" but you're right, "boot_password" will match other 
 variables from /boot/defaults/loader.conf even if "autoboot_password" 
 IMHO is more descriptive.
 
 > 4. Update both loader.conf(5) and check-password.4th(8) manuals
 Yes, loader.conf(5) is confusing about "password", but 
 check-password.4th(8) is completely misleading.
 
 BTW, while we are talking about documentation, there is related 
 "documentation" bug:
 /boot/defaults/loader.conf
 assumes that
 
 autoboot_delay="NO"
 
 will "... disable autobooting", but in fact it doesn't work and 
 completely ignored.
 
 
 
 Devin, thank you for taking this issue seriously !
 
 
 Best regards,
 
 Alex Verbod
 
 --------------050601030602060600060201
 Content-Type: text/plain; charset=windows-1251;
  name="check-password.4th.patch.txt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="check-password.4th.patch.txt"
 
 --- /boot/check-password.4th.orig       2012-11-26 23:19:43.000000000 -0500
 +++ /boot/check-password.4th    2012-11-26 23:20:22.000000000 -0500
 @@ -134,6 +134,8 @@
 
  : check-password ( -- )
 
 +0 autoboot
 +
         \ Exit if a password was not set
         s" password" getenv dup -1 = if
                 drop exit
 
 --------------050601030602060600060201--
State-Changed-From-To: open->analyzed 
State-Changed-By: dteske 
State-Changed-When: Fri Nov 30 01:16:56 UTC 2012 
State-Changed-Why:  
We agree there's a problem and it needs to be addressed. 
Working on a patchset and testing. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170110 

From: Devin Teske <devin.teske@fisglobal.com>
To: Alexander Verbod <alexander.verbod@gmail.com>
Cc: <bug-followup@FreeBSD.org>, Devin Teske <dteske@freebsd.org>,
        <ded3axap@gmail.com>
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from loading
Date: Mon, 10 Dec 2012 10:55:14 -0800

 On Nov 26, 2012, at 11:14 PM, Alexander Verbod wrote:
 
 > BTW, while we are talking about documentation, there is related "document=
 ation" bug:
 > /boot/defaults/loader.conf
 > assumes that
 >=20
 > autoboot_delay=3D"NO"
 >=20
 > will "... disable autobooting", but in fact it doesn't work and completel=
 y ignored.
 
 Can you create a new PR for the above-described issue?
 
 Didn't want to lose track of it while working on this PR.
 --=20
 Thanks,
 Devin
 
 _____________
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.

From: Devin Teske <devin.teske@fisglobal.com>
To: Alexander Verbod <alexander.verbod@gmail.com>
Cc: <bug-followup@FreeBSD.org>, Devin Teske <dteske@freebsd.org>,
        <ded3axap@gmail.com>
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from loading
Date: Mon, 10 Dec 2012 14:52:39 -0800

 --Apple-Mail=_9A0B0985-883B-4D4A-B810-4AD226896659
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain; charset="iso-8859-1"
 
 
 On Nov 26, 2012, at 11:14 PM, Alexander Verbod wrote:
 
 > On 11/26/2012 4:40 PM, Devin Teske wrote:
 >>=20
 >> The cause for this regression is rooted in a 13-year discrepancy between
 >> the loader.conf(5) man-page and the actual functionality w/respect to
 >> this "password" setting.
 >>=20
 >=20
 > I agree that loader.conf(5) man-page is kind of confusing about this feat=
 ure.
 >=20
 >=20
 >>=20
 >> It's clear to me now that the functionality wasn't broken but instead
 >> the documentation was inappropriate.
 >=20
 > Yes, it is !
 >=20
 >=20
 >> Nonetheless, I agree that this regression needs to be addressed to
 >> prevent POLA. Someone might be astonished if they are using the password
 >> feature in 8.x or lower and then they upgrade to 9.0 or 9.1 to find that
 >> their system now requires the password to boot (versus only requiring
 >> the password if one wants to make changes by attempting to interrupt the
 >> autoboot process).
 >=20
 > Thank you for understanding the issue !!!
 > I wish that PHP developers would respect POLA issues as you do.
 >=20
 >=20
 >> I'm also going to take this opportunity to improve the code a bit
 >> if/where possible.
 >=20
 > May be not an appropriate place to ask about this, but from security poin=
 t of view, IMHO it would be a great improvement if password that protect bo=
 ot menu will be kept as some hash instead of clear text.
 >=20
 
 Two concerns with that:
 1. The size of the implementation for a given hash algorithm
 2. The efficiency of said implementation
 3. The amount of effort required to integrate said implementation into the =
 FICL layer
 
 I'm not saying "no," but rather "not right now" ^_^
 
 There's a high likelihood that this would be a large undertaking.
 
 
 
 >> Given the nature of the discrepancy that caused this regression, I'd
 >> like to take this chance to provide both functionalities as I can see
 >> value in both meanings (regardless of whose interpretation is correct).
 >>=20
 >> NOTE: One use-case for requiring a password to boot (versus just
 >> protecting boot options) is protecting a PXE server that you either want
 >> to make private or as a method of preventing accidental destruction of a
 >> machine by fully-automated PXE-based installation scripts (much hardware
 >> today requiring only a single key at boot time to boot from the network
 >> -- F12 for example -- we sometimes want to prevent access to network
 >> boot without password).
 >=20
 > This would be handy to have both functionalities, I think this feature(lo=
 ck autoboot) can find its place in embedded hardware, especially with upcom=
 ing ARM support, in addition that you described with PXE server.
 >=20
 
 I indeed was able to fit this into the up-coming patch.
 
 
 
 >> Given the situation, I think the proper approach would be to (in order):
 >>=20
 >> 1. Restore original meaning of password variable (ask for password only
 >> if autoboot fails)
 >=20
 > Let me add: "ask for the password only if autoboot fails or if any key wa=
 s pressed during countdown period specified by 'autoboot_delay' variable"
 
 That was implied by "if autoboot fails" (deeming user intervention as failu=
 re to complete an autoboot sequence).
 
 
 > Attached patch will restore exactly the same functionality as it works fo=
 r 13 years(bad 13 number I guess :) ) and credit for the patch is going to =
 the original PR submitter
 >=20
 
 Well, the original patch submitted was not correct. If applied, it would ha=
 ve wiped out the beastie menu completely (the call to autoboot needs to be =
 _after_ the check for $password else autoboot will always be invoked on i38=
 6/amd64 where check-password is invoked every boot regardless of whether $p=
 assword is set).
 
 
 
 >=20
 >> 2. Update loader.conf(5) to be [more] accurate
 >=20
 > Yes, something like below would be more understandable than it is right n=
 ow:
 > "[password] Protect boot menu with a password without interrupting auto b=
 oot process.
 > The password should be in clear text format.
 > If a password is set, boot menu will not appear until any key is pressed =
 during countdown period specified by 'autoboot_delay' variable or autoboot =
 process fails. In both cases user should provide specified password to be a=
 ble to access boot menu."
 >=20
 
 Right on the money. Crediting you with the updated text.
 
 
 
 >> 3. Create a new variable to track the alternative functionality of not
 >> allowing boot to continue until password is entered (I like "boot_passwo=
 rd")
 > Base on our experience :) I would call it:  "bootlock_password"
 
 Sounds good, so it is.
 
 
 >> 4. Update both loader.conf(5) and check-password.4th(8) manuals
 > Yes, loader.conf(5) is confusing about "password", but check-password.4th=
 (8) is completely misleading.
 >=20
 
 No worries, I've updated check-password.4th(8) to be more clear. (please se=
 e attached patch.txt)
 
 
 > Devin, thank you for taking this issue seriously !
 >=20
 
 No problem. Thank you for reviewing and helping refine the fixes.
 
 Can you have a look at the attached patch.txt to see if I've addressed ever=
 ything? (and then some)
 --=20
 Cheers,
 Devin
 
 _____________
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.
 
 --Apple-Mail=_9A0B0985-883B-4D4A-B810-4AD226896659
 Content-Disposition: attachment; filename="patch.txt"
 Content-Type: text/plain; name="patch.txt"
 Content-Transfer-Encoding: quoted-printable
 
 Index: loader.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- loader.4th.8	(revision 244048)
 +++ loader.4th.8	(working copy)
 @@ -99,7 +99,7 @@ This
  is the command used in the default
  .Pa /boot/loader.rc
  file, and it uses the
 -.Pa autoboot
 +.Ic autoboot
  command (see
  .Xr loader 8 ) ,
  so it can be stopped for further interaction with
 Index: beastie.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- beastie.4th.8	(revision 244048)
 +++ beastie.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -94,8 +94,9 @@ The
  variable can be configured in
  .Xr loader.conf 5
  to the number of seconds you would like to delay loading the boot menu.
 -During the delay the user can press Ctrl-C to fall back to autoboot or =
 ENTER
 -to proceed.
 +During the delay the user can press Ctrl-C to fall back to
 +.Ic autoboot
 +or ENTER to proceed.
  The default behavior is to not delay.
  .El
  .Pp
 Index: check-password.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- check-password.4th.8	(revision 244048)
 +++ check-password.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 18, 2011
 +.Dd December 10, 2012
  .Dt CHECK-PASSWORD.4TH 8
  .Os
  .Sh NAME
 @@ -33,7 +33,8 @@
  .Sh DESCRIPTION
  The file that goes by the name of
  .Nm
 -is a set of commands designed to prevent booting without the proper =
 password.
 +is a set of commands designed to either prevent booting or prevent =
 modification
 +of boot options without an appropriately configured password.
  The commands of
  .Nm
  by themselves are not enough for most uses.
 @@ -57,30 +58,36 @@ The commands provided by it are:
  .Pp
  .Bl -tag -width disable-module_module -compact -offset indent
  .It Ic check-password
 -Once called, the user cannot continue until the correct password is =
 entered.
 -If the user enters the correct password the function returns.
 +Dual-purpose function that can either protect the interactive boot menu =
 or
 +prevent boot without password (separately).
  .Pp
 -The password that is required is configured by setting the
 -.Ic password
 -variable in
 -.Xr loader.conf 5 .
 +First checks
 +.Va bootlock_password
 +and if-set, the user cannot continue until the correct password is =
 entered.
  .Pp
 -Subsequent calls after a successful password
 -has been entered will not cause reprompting
 -\(em the function will silently return.
 +Next checks
 +.Va password
 +and if-set, tries to
 +.Ic autoboot
 +and only prompts for password on failure or user-interrupt.
 +See
 +.Xr loader.conf 5
 +for additional information.
  .El
  .Pp
  The environment variables that effect its behavior are:
 -.Bl -tag -width bootfile -offset indent
 +.Bl -tag -width bootlock_password -offset indent
 +.It Va bootlock_password
 +Sets the bootlock password (up to 16 characters long) that is required =
 by
 +.Ic check-password
 +to be entered before the system is allowed to boot.
  .It Va password
  Sets the password (up to 16 characters long) that is required by
  .Ic check-password
 -to be entered before the system is allowed to boot. If unset (default) =
 or NULL,
 -.Ic check-password
 -will silently abort.
 +before the user is allowed to visit the boot menu.
  .El
  .Sh FILES
 -.Bl -tag -width /boot/loader.4th -compact
 +.Bl -tag -width /boot/check-password.4th -compact
  .It Pa /boot/loader
  The
  .Xr loader 8 .
 @@ -101,11 +108,20 @@ check-password
  .Ed
  .Pp
  Set a password in
 -.Xr loader.conf 5 :
 +.Xr loader.conf 5
 +to prevent modification of boot options:
  .Pp
  .Bd -literal -offset indent -compact
  password=3D"abc123"
  .Ed
 +.Pp
 +Set a password in
 +.Xr loader.conf 5
 +to prevent booting without password:
 +.Pp
 +.Bd -literal -offset indent -compact
 +bootlock_password=3D"boot"
 +.Ed
  .Sh SEE ALSO
  .Xr loader.conf 5 ,
  .Xr loader 8 ,
 Index: loader.conf.5
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- loader.conf.5	(revision 244048)
 +++ loader.conf.5	(working copy)
 @@ -23,7 +23,7 @@
  .\" SUCH DAMAGE.
  .\"
  .\" $FreeBSD$
 -.Dd July 20, 2011
 +.Dd December 10, 2012
  .Dt LOADER.CONF 5
  .Os
  .Sh NAME
 @@ -113,8 +113,23 @@ that contains a kernel.
  .It Ar kernel_options
  Flags to be passed to the kernel.
  .It Ar password
 +Protect boot menu with a password without interrupting
 +.Ic autoboot
 +process.
 +The password should be in clear text format.
 +If a password is set, boot menu will not appear until any key is =
 pressed during
 +countdown period specified by
 +.Va autoboot_delay
 +variable or
 +.Ic autoboot
 +process fails.
 +In both cases user should provide specified password to be able to =
 access boot
 +menu.
 +.It Ar bootlock_password
  Provides a password to be required by check-password before execution =
 is
  allowed to continue.
 +The password should be in clear text format.
 +If a password is set, the user must provide specified password to boot.
  .It Ar verbose_loading
  If set to
  .Dq YES ,
 Index: menu.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- menu.4th.8	(revision 244048)
 +++ menu.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -108,8 +108,9 @@ will wait for user input and never execute
  If set to
  .Dq Li -1 ,
  .Ic menu-display
 -will boot immediately, preventing both interruption of the autoboot =
 process and
 -escaping to the loader prompt.
 +will boot immediately, preventing both interruption of the
 +.Ic autoboot
 +process and escaping to the loader prompt.
  Default is
  .Dq Li 10 .
  See
 Index: check-password.4th
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- check-password.4th	(revision 244048)
 +++ check-password.4th	(working copy)
 @@ -1,4 +1,4 @@
 -\ Copyright (c) 2006-2011 Devin Teske <dteske@FreeBSD.org>
 +\ Copyright (c) 2006-2012 Devin Teske <dteske@FreeBSD.org>
  \ All rights reserved.
  \=20
  \ Redistribution and use in source and binary forms, with or without
 @@ -74,7 +74,7 @@ variable readlen        \ input length
     again
  ;
 =20
 -: read ( -- String prompt )
 +: read ( String prompt -- )
 =20
  	0 25 at-xy           \ Move the cursor to the bottom-left
  	dup 1+ read-start !  \ Store X offset after the prompt
 @@ -134,23 +134,37 @@ variable readlen        \ input length
 =20
  : check-password ( -- )
 =20
 -	\ Exit if a password was not set
 -	s" password" getenv dup -1 =3D if
 -		drop exit
 +	\ Do not allow the user to proceed beyond this point if a =
 boot-lock
 +	\ password has been set (preventing even boot from proceeding)
 +	s" bootlock_password" getenv dup -1 <> if
 +		begin
 +			s" Boot Password: " read ( prompt -- )
 +			2dup readval readlen @ compare 0<>
 +		while
 +			3000 ms ." loader: incorrect password" 10 emit
 +		again
 +		2drop ( c-addr/u )
 +	else
 +		drop ( -1 ) \ getenv cruft
  	then
 =20
 -	begin \ Loop as long as it takes to get the right password
 +	\ Exit if a password was not set
 +	s" password" getenv -1 =3D if exit else drop then
 =20
 -		s" Password: " \ Output a prompt for a password
 -		read           \ Read the user's input until Enter
 +	\ We should prevent the user from visiting the menu or dropping =
 to the
 +	\ interactive loader(8) prompt, but still allow the machine to =
 boot...
 =20
 +	autoboot ( -- )
 +
 +	\ Only reached if autoboot fails for any reason (including =
 if/when
 +	\ the user aborts/escapes the countdown sequence leading to =
 boot).
 +
 +	s" password" getenv
 +	begin
 +		s" Password: " read ( prompt -- )
  		2dup readval readlen @ compare 0=3D if
  			2drop exit \ Correct password
  		then
 -
 -		\ Bad Password
 -		3000 ms
 -		." loader: incorrect password" 10 emit
 -
 -	again \ Not the right password; repeat
 +		3000 ms ." loader: incorrect password" 10 emit
 +	again
  ;
 
 --Apple-Mail=_9A0B0985-883B-4D4A-B810-4AD226896659--

From: Devin Teske <devin.teske@fisglobal.com>
To: Devin Teske <dteske@freebsd.org>
Cc: Alexander Verbod <alexander.verbod@gmail.com>, <bug-followup@FreeBSD.org>,
        <ded3axap@gmail.com>
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from loading
Date: Mon, 10 Dec 2012 15:01:22 -0800

 On Dec 10, 2012, at 2:52 PM, Devin Teske wrote:
 
 > Can you have a look at the attached patch.txt to see if I've addressed ev=
 erything? (and then some)
 
 Don't install it. Found a couple typos that lead to bad situations if you t=
 ry this code (BTX halt, etc.).
 
 Man-page changes need reviewing, but please hold for the completed Forth ch=
 anges.
 --=20
 Devin
 
 _____________
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.

From: Devin Teske <devin.teske@fisglobal.com>
To: Alexander Verbod <alexander.verbod@gmail.com>
Cc: <bug-followup@FreeBSD.org>, <ded3axap@gmail.com>,
        Devin Teske
	<dteske@freebsd.org>
Subject: Re: conf/170110: loader.conf  bootmenu password prevents OS from loading
Date: Mon, 10 Dec 2012 15:38:30 -0800

 --Apple-Mail=_F00AF07C-7169-4663-B53A-51072D730E8B
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain; charset="windows-1252"
 
 
 On Dec 10, 2012, at 3:01 PM, Devin Teske wrote:
 
 >=20
 > On Dec 10, 2012, at 2:52 PM, Devin Teske wrote:
 >=20
 >> Can you have a look at the attached patch.txt to see if I've addressed e=
 verything? (and then some)
 >=20
 > Don't install it. Found a couple typos that lead to bad situations if you=
  try this code (BTX halt, etc.).
 >=20
 > Man-page changes need reviewing, but please hold for the completed Forth =
 changes.
 
 All done=85 final patch for review attached as patch.txt
 
 Here's what I tested:
 
 password=3D"foo"
 	# Could boot but not get to menu without password
 
 bootlock_password=3D"foo"
 	# Could not boot without password
 
 bootlock_password=3D"foo"
 password=3D"bar"
 	# Could not boot without "foo"
 	# Could boot without "bar" but not get into menu without "bar"
 
 And of course, neither
 	# Loaded menu and then booted
 
 All expected results.
 
 Let me know if you have any questions, objections, concerns, trepidations, =
 quivers, etc.
 --=20
 Cheers,
 Devin
 
 _____________
 The information contained in this message is proprietary and/or confidentia=
 l. If you are not the intended recipient, please: (i) delete the message an=
 d all copies; (ii) do not disclose, distribute or use the message in any ma=
 nner; and (iii) notify the sender immediately. In addition, please be aware=
  that any message addressed to our domain is subject to archiving and revie=
 w by persons other than the intended recipient. Thank you.
 
 --Apple-Mail=_F00AF07C-7169-4663-B53A-51072D730E8B
 Content-Disposition: attachment; filename="patch.txt"
 Content-Type: text/plain; name="patch.txt"
 Content-Transfer-Encoding: quoted-printable
 
 Index: loader.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- loader.4th.8	(revision 244048)
 +++ loader.4th.8	(working copy)
 @@ -99,7 +99,7 @@ This
  is the command used in the default
  .Pa /boot/loader.rc
  file, and it uses the
 -.Pa autoboot
 +.Ic autoboot
  command (see
  .Xr loader 8 ) ,
  so it can be stopped for further interaction with
 Index: beastie.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- beastie.4th.8	(revision 244048)
 +++ beastie.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -94,8 +94,9 @@ The
  variable can be configured in
  .Xr loader.conf 5
  to the number of seconds you would like to delay loading the boot menu.
 -During the delay the user can press Ctrl-C to fall back to autoboot or =
 ENTER
 -to proceed.
 +During the delay the user can press Ctrl-C to fall back to
 +.Ic autoboot
 +or ENTER to proceed.
  The default behavior is to not delay.
  .El
  .Pp
 Index: check-password.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- check-password.4th.8	(revision 244048)
 +++ check-password.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 18, 2011
 +.Dd December 10, 2012
  .Dt CHECK-PASSWORD.4TH 8
  .Os
  .Sh NAME
 @@ -33,7 +33,8 @@
  .Sh DESCRIPTION
  The file that goes by the name of
  .Nm
 -is a set of commands designed to prevent booting without the proper =
 password.
 +is a set of commands designed to either prevent booting or prevent =
 modification
 +of boot options without an appropriately configured password.
  The commands of
  .Nm
  by themselves are not enough for most uses.
 @@ -57,30 +58,36 @@ The commands provided by it are:
  .Pp
  .Bl -tag -width disable-module_module -compact -offset indent
  .It Ic check-password
 -Once called, the user cannot continue until the correct password is =
 entered.
 -If the user enters the correct password the function returns.
 +Dual-purpose function that can either protect the interactive boot menu =
 or
 +prevent boot without password (separately).
  .Pp
 -The password that is required is configured by setting the
 -.Ic password
 -variable in
 -.Xr loader.conf 5 .
 +First checks
 +.Va bootlock_password
 +and if-set, the user cannot continue until the correct password is =
 entered.
  .Pp
 -Subsequent calls after a successful password
 -has been entered will not cause reprompting
 -\(em the function will silently return.
 +Next checks
 +.Va password
 +and if-set, tries to
 +.Ic autoboot
 +and only prompts for password on failure or user-interrupt.
 +See
 +.Xr loader.conf 5
 +for additional information.
  .El
  .Pp
  The environment variables that effect its behavior are:
 -.Bl -tag -width bootfile -offset indent
 +.Bl -tag -width bootlock_password -offset indent
 +.It Va bootlock_password
 +Sets the bootlock password (up to 16 characters long) that is required =
 by
 +.Ic check-password
 +to be entered before the system is allowed to boot.
  .It Va password
  Sets the password (up to 16 characters long) that is required by
  .Ic check-password
 -to be entered before the system is allowed to boot. If unset (default) =
 or NULL,
 -.Ic check-password
 -will silently abort.
 +before the user is allowed to visit the boot menu.
  .El
  .Sh FILES
 -.Bl -tag -width /boot/loader.4th -compact
 +.Bl -tag -width /boot/check-password.4th -compact
  .It Pa /boot/loader
  The
  .Xr loader 8 .
 @@ -101,11 +108,20 @@ check-password
  .Ed
  .Pp
  Set a password in
 -.Xr loader.conf 5 :
 +.Xr loader.conf 5
 +to prevent modification of boot options:
  .Pp
  .Bd -literal -offset indent -compact
  password=3D"abc123"
  .Ed
 +.Pp
 +Set a password in
 +.Xr loader.conf 5
 +to prevent booting without password:
 +.Pp
 +.Bd -literal -offset indent -compact
 +bootlock_password=3D"boot"
 +.Ed
  .Sh SEE ALSO
  .Xr loader.conf 5 ,
  .Xr loader 8 ,
 Index: loader.conf.5
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- loader.conf.5	(revision 244048)
 +++ loader.conf.5	(working copy)
 @@ -23,7 +23,7 @@
  .\" SUCH DAMAGE.
  .\"
  .\" $FreeBSD$
 -.Dd July 20, 2011
 +.Dd December 10, 2012
  .Dt LOADER.CONF 5
  .Os
  .Sh NAME
 @@ -113,8 +113,23 @@ that contains a kernel.
  .It Ar kernel_options
  Flags to be passed to the kernel.
  .It Ar password
 +Protect boot menu with a password without interrupting
 +.Ic autoboot
 +process.
 +The password should be in clear text format.
 +If a password is set, boot menu will not appear until any key is =
 pressed during
 +countdown period specified by
 +.Va autoboot_delay
 +variable or
 +.Ic autoboot
 +process fails.
 +In both cases user should provide specified password to be able to =
 access boot
 +menu.
 +.It Ar bootlock_password
  Provides a password to be required by check-password before execution =
 is
  allowed to continue.
 +The password should be in clear text format.
 +If a password is set, the user must provide specified password to boot.
  .It Ar verbose_loading
  If set to
  .Dq YES ,
 Index: menu.4th.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- menu.4th.8	(revision 244048)
 +++ menu.4th.8	(working copy)
 @@ -1,4 +1,4 @@
 -.\" Copyright (c) 2011 Devin Teske
 +.\" Copyright (c) 2011-2012 Devin Teske
  .\" All rights reserved.
  .\"
  .\" Redistribution and use in source and binary forms, with or without
 @@ -108,8 +108,9 @@ will wait for user input and never execute
  If set to
  .Dq Li -1 ,
  .Ic menu-display
 -will boot immediately, preventing both interruption of the autoboot =
 process and
 -escaping to the loader prompt.
 +will boot immediately, preventing both interruption of the
 +.Ic autoboot
 +process and escaping to the loader prompt.
  Default is
  .Dq Li 10 .
  See
 Index: check-password.4th
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- check-password.4th	(revision 244048)
 +++ check-password.4th	(working copy)
 @@ -1,4 +1,4 @@
 -\ Copyright (c) 2006-2011 Devin Teske <dteske@FreeBSD.org>
 +\ Copyright (c) 2006-2012 Devin Teske <dteske@FreeBSD.org>
  \ All rights reserved.
  \=20
  \ Redistribution and use in source and binary forms, with or without
 @@ -74,7 +74,7 @@ variable readlen        \ input length
     again
  ;
 =20
 -: read ( -- String prompt )
 +: read ( String prompt -- )
 =20
  	0 25 at-xy           \ Move the cursor to the bottom-left
  	dup 1+ read-start !  \ Store X offset after the prompt
 @@ -134,23 +134,37 @@ variable readlen        \ input length
 =20
  : check-password ( -- )
 =20
 -	\ Exit if a password was not set
 -	s" password" getenv dup -1 =3D if
 -		drop exit
 +	\ Do not allow the user to proceed beyond this point if a =
 boot-lock
 +	\ password has been set (preventing even boot from proceeding)
 +	s" bootlock_password" getenv dup -1 <> if
 +		begin
 +			s" Boot Password: " read ( prompt -- )
 +			2dup readval readlen @ compare 0<>
 +		while
 +			3000 ms ." loader: incorrect password" 10 emit
 +		repeat
 +		2drop ( c-addr/u )
 +	else
 +		drop ( -1 ) \ getenv cruft
  	then
 =20
 -	begin \ Loop as long as it takes to get the right password
 +	\ Exit if a password was not set
 +	s" password" getenv -1 =3D if exit else drop then
 =20
 -		s" Password: " \ Output a prompt for a password
 -		read           \ Read the user's input until Enter
 +	\ We should prevent the user from visiting the menu or dropping =
 to the
 +	\ interactive loader(8) prompt, but still allow the machine to =
 boot...
 =20
 +	0 autoboot
 +
 +	\ Only reached if autoboot fails for any reason (including =
 if/when
 +	\ the user aborts/escapes the countdown sequence leading to =
 boot).
 +
 +	s" password" getenv
 +	begin
 +		s" Password: " read ( prompt -- )
  		2dup readval readlen @ compare 0=3D if
  			2drop exit \ Correct password
  		then
 -
 -		\ Bad Password
 -		3000 ms
 -		." loader: incorrect password" 10 emit
 -
 -	again \ Not the right password; repeat
 +		3000 ms ." loader: incorrect password" 10 emit
 +	again
  ;
 
 --Apple-Mail=_F00AF07C-7169-4663-B53A-51072D730E8B--
State-Changed-From-To: analyzed->patched 
State-Changed-By: dteske 
State-Changed-When: Wed Dec 12 17:49:49 UTC 2012 
State-Changed-Why:  
Committed to HEAD as r244158. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170110 
State-Changed-From-To: patched->closed 
State-Changed-By: dteske 
State-Changed-When: Tue Apr 1 00:28:34 UTC 2014 
State-Changed-Why:  
MFC'd to stable/9 with r254109 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170110 
>Unformatted:
