summaryrefslogtreecommitdiffstats
path: root/perl-install/bootloader.pm
diff options
context:
space:
mode:
authorThierry Vignaud <thierry.vignaud@gmail.com>2016-06-21 17:21:13 +0200
committerThierry Vignaud <thierry.vignaud@gmail.com>2016-06-21 18:06:07 +0200
commit9bb701c386fcb05068c4c02b372e0c0b754995b3 (patch)
treea967938ccd171dc31deaa012937f2c49ea66dd87 /perl-install/bootloader.pm
parentf862804fbc80451f4f93cd292b219fbab1d52b53 (diff)
downloaddrakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar
drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.gz
drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.bz2
drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.xz
drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.zip
grub2: enable to protect with a password
thus restricting altering the config on boot (mga#15930)
Diffstat (limited to 'perl-install/bootloader.pm')
-rw-r--r--perl-install/bootloader.pm64
1 files changed, 64 insertions, 0 deletions
diff --git a/perl-install/bootloader.pm b/perl-install/bootloader.pm
index 60c3f01f1..f32d6292c 100644
--- a/perl-install/bootloader.pm
+++ b/perl-install/bootloader.pm
@@ -284,6 +284,18 @@ sub read_ {
return $bootloader;
}
+
+=item is_grub2_already_crypted($password)
+
+Returns whether grub2 password is already encrypted or not
+
+=cut
+
+sub is_grub2_already_crypted {
+ my ($password) = @_;
+ $password =~ /grub.pbkdf2.sha512/;
+}
+
=item read_grub2 ($o_fstab)
Read back GRUB2 config + C</boot/grub2/drakboot.conf>
@@ -326,6 +338,16 @@ sub read_grub2() {
$bootloader{default} = $1 if /saved_entry=(.*)/;
}
+ # Get password prior to run update-grub2:
+ my $pw_f = get_grub2_users();
+ if (-e $pw_f) {
+ foreach (cat_($pw_f)) {
+ if (/password_pbkdf2 root (.*)/) {
+ $bootloader{password} = $1;
+ }
+ }
+ }
+
$bootloader{method} = cat_($f) =~ /set theme=.*maggy/ ? 'grub2-graphic' : 'grub2';
\%bootloader;
}
@@ -1801,10 +1823,48 @@ sub get_grub2_append {
$append;
}
+sub crypt_grub2_password {
+ my ($password) = @_;
+ require IPC::Open2;
+ local $ENV{LC_ALL} = 'C';
+ my ($his_out, $his_in);
+ my $pid = IPC::Open2::open2($his_out, $his_in, "$::prefix/bin/grub2-mkpasswd-pbkdf2");
+
+ my ($line, $res);
+ while (sysread($his_out, $line, 100)) {
+ if ($line =~ /enter.*password:/i) {
+ syswrite($his_in, "$password\n");
+ } else {
+ chomp($line);
+ $res .= $line if $line;
+ }
+ }
+ $res =~ s/^PBKDF2 hash of your password is //;
+ waitpid($pid, 0);
+ my $status = $? >> 8;
+ die "failed to encrypt password (status=$status)" if $status != 0;
+ chomp_($res);
+}
+
sub write_grub2 {
my ($bootloader, $_all_hds, $o_backup_extension) = @_;
my $error;
+ # Set password prior to run update-grub2:
+ my $pw_f = get_grub2_users();
+ if ($bootloader->{password}) {
+ if (!is_grub2_already_crypted($bootloader->{password})) {
+ $bootloader->{password} = crypt_grub2_password($bootloader->{password});
+ }
+
+ output_with_perm($pw_f, 0755, qq(cat <<EOF
+set superusers="root"
+password_pbkdf2 root $bootloader->{password}
+EOF));
+ } else {
+ rm_rf($pw_f);
+ }
+
my $f = "$::prefix/etc/default/grub";
my %conf = getVarsFromSh($f);
@@ -1837,6 +1897,10 @@ sub write_grub2 {
check_enough_space();
}
+sub get_grub2_users() {
+ "$::prefix/etc/grub.d/01_drakx_users";
+}
+
sub get_grub2_install_sh() {
"$::prefix/boot/grub2/install.sh";
}