From 9bb701c386fcb05068c4c02b372e0c0b754995b3 Mon Sep 17 00:00:00 2001 From: Thierry Vignaud Date: Tue, 21 Jun 2016 17:21:13 +0200 Subject: grub2: enable to protect with a password thus restricting altering the config on boot (mga#15930) --- perl-install/NEWS | 3 +++ perl-install/bootloader.pm | 64 ++++++++++++++++++++++++++++++++++++++++++++++ perl-install/install/NEWS | 3 +++ 3 files changed, 70 insertions(+) diff --git a/perl-install/NEWS b/perl-install/NEWS index 33206a3d0..3e6e30714 100644 --- a/perl-install/NEWS +++ b/perl-install/NEWS @@ -1,3 +1,6 @@ +- drakboot: + o add support for crypted grub passwords + Version 17.41 - 20 June 2016 - drakboot: diff --git a/perl-install/bootloader.pm b/perl-install/bootloader.pm index 60c3f01f1..f32d6292c 100644 --- a/perl-install/bootloader.pm +++ b/perl-install/bootloader.pm @@ -284,6 +284,18 @@ sub read_ { return $bootloader; } + +=item is_grub2_already_crypted($password) + +Returns whether grub2 password is already encrypted or not + +=cut + +sub is_grub2_already_crypted { + my ($password) = @_; + $password =~ /grub.pbkdf2.sha512/; +} + =item read_grub2 ($o_fstab) Read back GRUB2 config + C @@ -326,6 +338,16 @@ sub read_grub2() { $bootloader{default} = $1 if /saved_entry=(.*)/; } + # Get password prior to run update-grub2: + my $pw_f = get_grub2_users(); + if (-e $pw_f) { + foreach (cat_($pw_f)) { + if (/password_pbkdf2 root (.*)/) { + $bootloader{password} = $1; + } + } + } + $bootloader{method} = cat_($f) =~ /set theme=.*maggy/ ? 'grub2-graphic' : 'grub2'; \%bootloader; } @@ -1801,10 +1823,48 @@ sub get_grub2_append { $append; } +sub crypt_grub2_password { + my ($password) = @_; + require IPC::Open2; + local $ENV{LC_ALL} = 'C'; + my ($his_out, $his_in); + my $pid = IPC::Open2::open2($his_out, $his_in, "$::prefix/bin/grub2-mkpasswd-pbkdf2"); + + my ($line, $res); + while (sysread($his_out, $line, 100)) { + if ($line =~ /enter.*password:/i) { + syswrite($his_in, "$password\n"); + } else { + chomp($line); + $res .= $line if $line; + } + } + $res =~ s/^PBKDF2 hash of your password is //; + waitpid($pid, 0); + my $status = $? >> 8; + die "failed to encrypt password (status=$status)" if $status != 0; + chomp_($res); +} + sub write_grub2 { my ($bootloader, $_all_hds, $o_backup_extension) = @_; my $error; + # Set password prior to run update-grub2: + my $pw_f = get_grub2_users(); + if ($bootloader->{password}) { + if (!is_grub2_already_crypted($bootloader->{password})) { + $bootloader->{password} = crypt_grub2_password($bootloader->{password}); + } + + output_with_perm($pw_f, 0755, qq(cat <{password} +EOF)); + } else { + rm_rf($pw_f); + } + my $f = "$::prefix/etc/default/grub"; my %conf = getVarsFromSh($f); @@ -1837,6 +1897,10 @@ sub write_grub2 { check_enough_space(); } +sub get_grub2_users() { + "$::prefix/etc/grub.d/01_drakx_users"; +} + sub get_grub2_install_sh() { "$::prefix/boot/grub2/install.sh"; } diff --git a/perl-install/install/NEWS b/perl-install/install/NEWS index 94e03396b..c3c8941a3 100644 --- a/perl-install/install/NEWS +++ b/perl-install/install/NEWS @@ -1,3 +1,6 @@ +- bootloader configuration: + o add support for crypted grub passwords + Version 17.41 - 20 June 2016 - bootloader: -- cgit v1.2.1