mirror of
https://src.fedoraproject.org/rpms/grub2.git
synced 2024-11-27 23:34:51 +00:00
7e98da058f
This change reorganizes and cleanups our patches to reduce the patch number from 314 patches to 187. That's achieved by dropping patches that are later reverted and squashing fixes for earlier patches that introduced features. There are no code changes and the diff with upstream is the same before and after the cleanup. Having fewer patches makes easier to manage the patchset and also will ease to rebase them on top of the latest grub-2.04 release. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
283 lines
7.6 KiB
Diff
283 lines
7.6 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Robert Marshall <rmarshall@redhat.com>
|
|
Date: Thu, 25 Jun 2015 11:13:11 -0400
|
|
Subject: [PATCH] Add friendly grub2 password config tool (#985962)
|
|
|
|
Provided a tool for users to reset the grub2 root user password
|
|
without having to alter the grub.cfg. The hashed password now
|
|
lives in a root-only-readable configuration file.
|
|
|
|
Resolves: rhbz#985962
|
|
|
|
Signed-off-by: Robert Marshall <rmarshall@redhat.com>
|
|
[pjones: fix the efidir in grub-setpassword and rename tool]
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
[luto: fix grub-setpassword -o's output path]
|
|
Andy Lutomirski <luto@kernel.org>
|
|
---
|
|
configure.ac | 1 +
|
|
Makefile.util.def | 13 +++++
|
|
.gitignore | 2 +
|
|
util/grub-mkconfig.in | 2 +
|
|
util/grub-set-password.8 | 28 ++++++++++
|
|
util/grub-set-password.in | 128 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
util/grub.d/01_users.in | 11 ++++
|
|
7 files changed, 185 insertions(+)
|
|
create mode 100644 util/grub-set-password.8
|
|
create mode 100644 util/grub-set-password.in
|
|
create mode 100644 util/grub.d/01_users.in
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 00f1db29b1a..1cb6a9615db 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -65,6 +65,7 @@ grub_TRANSFORM([grub-mkrelpath])
|
|
grub_TRANSFORM([grub-mkrescue])
|
|
grub_TRANSFORM([grub-probe])
|
|
grub_TRANSFORM([grub-reboot])
|
|
+grub_TRANSFORM([grub-set-password])
|
|
grub_TRANSFORM([grub-rpm-sort])
|
|
grub_TRANSFORM([grub-script-check])
|
|
grub_TRANSFORM([grub-set-default])
|
|
diff --git a/Makefile.util.def b/Makefile.util.def
|
|
index bb21c87c8ed..7729e65c607 100644
|
|
--- a/Makefile.util.def
|
|
+++ b/Makefile.util.def
|
|
@@ -442,6 +442,12 @@ script = {
|
|
installdir = grubconf;
|
|
};
|
|
|
|
+script = {
|
|
+ name = '01_users';
|
|
+ common = util/grub.d/01_users.in;
|
|
+ installdir = grubconf;
|
|
+};
|
|
+
|
|
script = {
|
|
name = '10_windows';
|
|
common = util/grub.d/10_windows.in;
|
|
@@ -724,6 +730,13 @@ script = {
|
|
installdir = sbin;
|
|
};
|
|
|
|
+script = {
|
|
+ name = grub-set-password;
|
|
+ common = util/grub-set-password.in;
|
|
+ mansection = 8;
|
|
+ installdir = sbin;
|
|
+};
|
|
+
|
|
script = {
|
|
name = grub-mkconfig_lib;
|
|
common = util/grub-mkconfig_lib.in;
|
|
diff --git a/.gitignore b/.gitignore
|
|
index fa2e5b609b1..141684867d1 100644
|
|
--- a/.gitignore
|
|
+++ b/.gitignore
|
|
@@ -111,6 +111,8 @@ grub-*.tar.*
|
|
/grub*-script-check.1
|
|
/grub*-set-default
|
|
/grub*-set-default.8
|
|
+/grub*-set-password
|
|
+/grub*-set-password.8
|
|
/grub*-shell
|
|
/grub*-shell-tester
|
|
/grub*-sparc64-setup
|
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
index f68d4925ee6..bdb9982aefb 100644
|
|
--- a/util/grub-mkconfig.in
|
|
+++ b/util/grub-mkconfig.in
|
|
@@ -282,6 +282,8 @@ for i in "${grub_mkconfig_dir}"/* ; do
|
|
*~) ;;
|
|
# emacsen autosave files. FIXME: support other editors
|
|
*/\#*\#) ;;
|
|
+ # rpm config files of yore.
|
|
+ *.rpmsave|*.rpmnew|*.rpmorig) ;;
|
|
*)
|
|
if grub_file_is_not_garbage "$i" && test -x "$i" ; then
|
|
echo
|
|
diff --git a/util/grub-set-password.8 b/util/grub-set-password.8
|
|
new file mode 100644
|
|
index 00000000000..9646546e43d
|
|
--- /dev/null
|
|
+++ b/util/grub-set-password.8
|
|
@@ -0,0 +1,28 @@
|
|
+.TH GRUB-SET-PASSWORD 3 "Thu Jun 25 2015"
|
|
+.SH NAME
|
|
+\fBgrub-set-password\fR \(em Generate the user.cfg file containing the hashed grub bootloader password.
|
|
+
|
|
+.SH SYNOPSIS
|
|
+\fBgrub-set-password\fR [OPTION]
|
|
+
|
|
+.SH DESCRIPTION
|
|
+\fBgrub-set-password\fR outputs the user.cfg file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.
|
|
+
|
|
+The file has the format:
|
|
+GRUB2_PASSWORD=<\fIhashed password\fR>.
|
|
+
|
|
+.SH OPTIONS
|
|
+.TP
|
|
+-h, --help
|
|
+Display program usage and exit.
|
|
+.TP
|
|
+-v, --version
|
|
+Display the current version.
|
|
+.TP
|
|
+-o, --output=<\fIDIRECTORY\fR>
|
|
+Choose the file path to which user.cfg will be written.
|
|
+
|
|
+.SH SEE ALSO
|
|
+.BR "info grub"
|
|
+
|
|
+.BR "info grub2-mkpasswd-pbkdf2"
|
|
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
|
|
new file mode 100644
|
|
index 00000000000..5ebf50576d6
|
|
--- /dev/null
|
|
+++ b/util/grub-set-password.in
|
|
@@ -0,0 +1,128 @@
|
|
+#!/bin/sh -e
|
|
+
|
|
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')
|
|
+if [ -d /sys/firmware/efi/efivars/ ]; then
|
|
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
|
|
+else
|
|
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
|
+fi
|
|
+
|
|
+PACKAGE_VERSION="@PACKAGE_VERSION@"
|
|
+PACKAGE_NAME="@PACKAGE_NAME@"
|
|
+self=`basename $0`
|
|
+bindir="@bindir@"
|
|
+grub_mkpasswd="${bindir}/@grub_mkpasswd_pbkdf2@"
|
|
+
|
|
+# Usage: usage
|
|
+# Print the usage.
|
|
+usage () {
|
|
+ cat <<EOF
|
|
+Usage: $0 [OPTION]
|
|
+$0 prompts the user to set a password on the grub bootloader. The password
|
|
+is written to a file named user.cfg which lives in the GRUB directory
|
|
+located by default at ${grubdir}.
|
|
+
|
|
+ -h, --help print this message and exit
|
|
+ -v, --version print the version information and exit
|
|
+ -o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
|
|
+
|
|
+Report bugs at https://bugzilla.redhat.com.
|
|
+EOF
|
|
+}
|
|
+
|
|
+argument () {
|
|
+ opt=$1
|
|
+ shift
|
|
+
|
|
+ if test $# -eq 0; then
|
|
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
|
|
+ exit 1
|
|
+ fi
|
|
+ echo $1
|
|
+}
|
|
+
|
|
+# Ensure that it's the root user running this script
|
|
+if [ "${EUID}" -ne 0 ]; then
|
|
+ echo "The grub bootloader password may only be set by root."
|
|
+ usage
|
|
+ exit 2
|
|
+fi
|
|
+
|
|
+# Check the arguments.
|
|
+while test $# -gt 0
|
|
+do
|
|
+ option=$1
|
|
+ shift
|
|
+
|
|
+ case "$option" in
|
|
+ -h | --help)
|
|
+ usage
|
|
+ exit 0 ;;
|
|
+ -v | --version)
|
|
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
|
|
+ exit 0 ;;
|
|
+ -o | --output)
|
|
+ OUTPUT_PATH=`argument $option "$@"`; shift ;;
|
|
+ --output=*)
|
|
+ OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;;
|
|
+ -o=*)
|
|
+ OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;;
|
|
+ esac
|
|
+done
|
|
+
|
|
+# set user input or default path for user.cfg file
|
|
+if [ -z "${OUTPUT_PATH}" ]; then
|
|
+ OUTPUT_PATH="${grubdir}"
|
|
+fi
|
|
+
|
|
+if [ ! -d "${OUTPUT_PATH}" ]; then
|
|
+ echo "${OUTPUT_PATH} does not exist."
|
|
+ usage
|
|
+ exit 2;
|
|
+fi
|
|
+
|
|
+ttyopt=$(stty -g)
|
|
+fixtty() {
|
|
+ stty ${ttyopt}
|
|
+}
|
|
+
|
|
+trap fixtty EXIT
|
|
+stty -echo
|
|
+
|
|
+# prompt & confirm new grub2 root user password
|
|
+echo -n "Enter password: "
|
|
+read PASSWORD
|
|
+echo
|
|
+echo -n "Confirm password: "
|
|
+read PASSWORD_CONFIRM
|
|
+echo
|
|
+stty ${ttyopt}
|
|
+
|
|
+getpass() {
|
|
+ local P0
|
|
+ local P1
|
|
+ P0="$1" && shift
|
|
+ P1="$1" && shift
|
|
+
|
|
+ ( echo ${P0} ; echo ${P1} ) | \
|
|
+ LC_ALL=C ${grub_mkpasswd} | \
|
|
+ grep -v '[eE]nter password:' | \
|
|
+ sed -e "s/PBKDF2 hash of your password is //"
|
|
+}
|
|
+
|
|
+MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")"
|
|
+if [ -z "${MYPASS}" ]; then
|
|
+ echo "${self}: error: empty password" 1>&2
|
|
+ exit 1
|
|
+fi
|
|
+
|
|
+# on the ESP, these will fail to set the permissions, but it's okay because
|
|
+# the directory is protected.
|
|
+install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
|
|
+chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
|
|
+echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg"
|
|
+
|
|
+if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then
|
|
+ echo "WARNING: The current configuration lacks password support!"
|
|
+ echo "Update your configuration with @grub_mkconfig@ to support this feature."
|
|
+fi
|
|
diff --git a/util/grub.d/01_users.in b/util/grub.d/01_users.in
|
|
new file mode 100644
|
|
index 00000000000..db2f44bfb78
|
|
--- /dev/null
|
|
+++ b/util/grub.d/01_users.in
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/sh -e
|
|
+cat << EOF
|
|
+if [ -f \${prefix}/user.cfg ]; then
|
|
+ source \${prefix}/user.cfg
|
|
+ if [ -n "\${GRUB2_PASSWORD}" ]; then
|
|
+ set superusers="root"
|
|
+ export superusers
|
|
+ password_pbkdf2 root \${GRUB2_PASSWORD}
|
|
+ fi
|
|
+fi
|
|
+EOF
|