Dear Maintainer,
since the last update of grub-common, all users are required to input a
username and password before being able to boot the system. This is due to the
removal of the '--unrestricted' option from the CLASS variable in
/etc/grub.d/10_linux. This is NOT their known username & password, but rather
the bootloader-specific credentials.
**In turn, it results in effectively locking out users from their machine.**
This incompatible change was not listed in the changelog of the package upon
update. It affects only users for which a custom grub password was set by the
administrator (which is likely to happen in enterprise scenarios).
This is a serious problem since if remotely deployed to our machines, it would
lock out all users from next boot (by policy superuser is the only one able to
edit entries). Fortunately we caught this during internal testing.
Please consider adding back the '--unrestricted' flag, or at least prominently
warn users upon upgrade. Unfortunately, there is no easy built-in simple
configuration variable to toggle the default behavior. It might be good to add
one.
Thanks,
Matteo
PS: The culprit is:
--- /etc/grub.d/10_linux.dpkg-old 2019-12-27 00:58:08.047217825 +0100
+++ /etc/grub.d/10_linux 2021-11-29 01:10:09.000000000 +0100
@@ -31,7 +31,7 @@
export TEXTDOMAIN=grub
export TEXTDOMAINDIR="${datarootdir}/locale"