templates: Disable the os-prober by default

The os-prober is enabled by default what may lead to potentially dangerous use cases and borderline opening attack vectors. This patch disables the os-prober, adds warning messages and updates GRUB_DISABLE_OS_PROBER configuration option documentation. This way we make it clear that the os-prober usage is not recommended. Simplistic nature of this change allows downstream vendors, who really want os-prober to be enabled out of the box in their relevant products, easily revert to it's old behavior. Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec), working with SSD Secure Disclosure Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-07-26 08:24:16 +00:00 · 2021-02-16 11:12:12 +01:00 · 2021-02-16 11:12:12 +01:00 · e346414725
commit e346414725
parent 42facd5772
2 changed files with 14 additions and 9 deletions
--- a/docs/grub.texi
+++ b/docs/grub.texi
@ -1519,10 +1519,13 @@ boot sequence.  If you have problems, set this option to @samp{text} and
 GRUB will tell Linux to boot in normal text mode.
@item GRUB_DISABLE_OS_PROBER
-Normally, @command{grub-mkconfig} will try to use the external
+The @command{grub-mkconfig} has a feature to use the external
-@command{os-prober} program, if installed, to discover other operating
+@command{os-prober} program to discover other operating systems installed on
-systems installed on the same system and generate appropriate menu entries
+the same machine and generate appropriate menu entries for them. It is disabled
-for them.  Set this option to @samp{true} to disable this.
+by default since automatic and silent execution of @command{os-prober}, and
 creating boot entries based on that data, is a potential attack vector. Set
 this option to @samp{false} to enable this feature in the
@command{grub-mkconfig} command.
@item GRUB_OS_PROBER_SKIP_LIST
 List of space-separated FS UUIDs of filesystems to be ignored from os-prober
@ -1850,10 +1853,9 @@ than zero; otherwise 0.
@section Multi-boot manual config
 Currently autogenerating config files for multi-boot environments depends on
-os-prober and has several shortcomings. While fixing it is scheduled for the
+os-prober and has several shortcomings. Due to that it is disabled by default.
-next release, meanwhile you can make use of the power of GRUB syntax and do it
+It is advised to use the power of GRUB syntax and do it yourself. A possible
-yourself. A possible configuration is detailed here, feel free to adjust to your
+configuration is detailed here, feel free to adjust to your needs.
 needs.
 First create a separate GRUB partition, big enough to hold GRUB. Some of the
 following entries show how to load OS installer images from this same partition,
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@"
 . "$pkgdatadir/grub-mkconfig_lib"
-if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
+if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
  gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
  exit 0
 fi
@ -39,6 +40,8 @@ OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`"
 if [ -z "${OSPROBED}" ] ; then
  # empty os-prober output, nothing doing
  exit 0
 else
  grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
 fi
 osx_entry() {