diff options
author | Thierry Vignaud <thierry.vignaud@gmail.com> | 2016-06-21 17:21:13 +0200 |
---|---|---|
committer | Thierry Vignaud <thierry.vignaud@gmail.com> | 2016-06-21 18:06:07 +0200 |
commit | 9bb701c386fcb05068c4c02b372e0c0b754995b3 (patch) | |
tree | a967938ccd171dc31deaa012937f2c49ea66dd87 /perl-install/bootloader.pm | |
parent | f862804fbc80451f4f93cd292b219fbab1d52b53 (diff) | |
download | drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.gz drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.bz2 drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.tar.xz drakx-9bb701c386fcb05068c4c02b372e0c0b754995b3.zip |
grub2: enable to protect with a password
thus restricting altering the config on boot (mga#15930)
Diffstat (limited to 'perl-install/bootloader.pm')
-rw-r--r-- | perl-install/bootloader.pm | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/perl-install/bootloader.pm b/perl-install/bootloader.pm index 60c3f01f1..f32d6292c 100644 --- a/perl-install/bootloader.pm +++ b/perl-install/bootloader.pm @@ -284,6 +284,18 @@ sub read_ { return $bootloader; } + +=item is_grub2_already_crypted($password) + +Returns whether grub2 password is already encrypted or not + +=cut + +sub is_grub2_already_crypted { + my ($password) = @_; + $password =~ /grub.pbkdf2.sha512/; +} + =item read_grub2 ($o_fstab) Read back GRUB2 config + C</boot/grub2/drakboot.conf> @@ -326,6 +338,16 @@ sub read_grub2() { $bootloader{default} = $1 if /saved_entry=(.*)/; } + # Get password prior to run update-grub2: + my $pw_f = get_grub2_users(); + if (-e $pw_f) { + foreach (cat_($pw_f)) { + if (/password_pbkdf2 root (.*)/) { + $bootloader{password} = $1; + } + } + } + $bootloader{method} = cat_($f) =~ /set theme=.*maggy/ ? 'grub2-graphic' : 'grub2'; \%bootloader; } @@ -1801,10 +1823,48 @@ sub get_grub2_append { $append; } +sub crypt_grub2_password { + my ($password) = @_; + require IPC::Open2; + local $ENV{LC_ALL} = 'C'; + my ($his_out, $his_in); + my $pid = IPC::Open2::open2($his_out, $his_in, "$::prefix/bin/grub2-mkpasswd-pbkdf2"); + + my ($line, $res); + while (sysread($his_out, $line, 100)) { + if ($line =~ /enter.*password:/i) { + syswrite($his_in, "$password\n"); + } else { + chomp($line); + $res .= $line if $line; + } + } + $res =~ s/^PBKDF2 hash of your password is //; + waitpid($pid, 0); + my $status = $? >> 8; + die "failed to encrypt password (status=$status)" if $status != 0; + chomp_($res); +} + sub write_grub2 { my ($bootloader, $_all_hds, $o_backup_extension) = @_; my $error; + # Set password prior to run update-grub2: + my $pw_f = get_grub2_users(); + if ($bootloader->{password}) { + if (!is_grub2_already_crypted($bootloader->{password})) { + $bootloader->{password} = crypt_grub2_password($bootloader->{password}); + } + + output_with_perm($pw_f, 0755, qq(cat <<EOF +set superusers="root" +password_pbkdf2 root $bootloader->{password} +EOF)); + } else { + rm_rf($pw_f); + } + my $f = "$::prefix/etc/default/grub"; my %conf = getVarsFromSh($f); @@ -1837,6 +1897,10 @@ sub write_grub2 { check_enough_space(); } +sub get_grub2_users() { + "$::prefix/etc/grub.d/01_drakx_users"; +} + sub get_grub2_install_sh() { "$::prefix/boot/grub2/install.sh"; } |