grub2/0060-Add-friendly-grub2-password-config-tool-985962.patch
Javier Martinez Canillas e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00

270 lines
7.3 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robert Marshall <rmarshall@redhat.com>
Date: Thu, 25 Jun 2015 11:13:11 -0400
Subject: [PATCH] Add friendly grub2 password config tool (#985962)
Provided a tool for users to reset the grub2 root user password
without having to alter the grub.cfg. The hashed password now
lives in a root-only-readable configuration file.
Resolves: rhbz#985962
Signed-off-by: Robert Marshall <rmarshall@redhat.com>
[pjones: fix the efidir in grub-setpassword and rename tool]
Signed-off-by: Peter Jones <pjones@redhat.com>
[luto: fix grub-setpassword -o's output path]
Andy Lutomirski <luto@kernel.org>
---
configure.ac | 1 +
Makefile.util.def | 13 +++++
util/grub-mkconfig.in | 2 +
util/grub-set-password.8 | 28 ++++++++++
util/grub-set-password.in | 128 ++++++++++++++++++++++++++++++++++++++++++++++
util/grub.d/01_users.in | 11 ++++
6 files changed, 183 insertions(+)
create mode 100644 util/grub-set-password.8
create mode 100644 util/grub-set-password.in
create mode 100644 util/grub.d/01_users.in
diff --git a/configure.ac b/configure.ac
index 6927615819b..68501662e8d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,7 @@ grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
grub_TRANSFORM([grub-probe])
grub_TRANSFORM([grub-reboot])
+grub_TRANSFORM([grub-set-password])
grub_TRANSFORM([grub-rpm-sort])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
diff --git a/Makefile.util.def b/Makefile.util.def
index 843ce092b94..e50436a4987 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -451,6 +451,12 @@ script = {
installdir = grubconf;
};
+script = {
+ name = '01_users';
+ common = util/grub.d/01_users.in;
+ installdir = grubconf;
+};
+
script = {
name = '10_windows';
common = util/grub.d/10_windows.in;
@@ -733,6 +739,13 @@ script = {
installdir = sbin;
};
+script = {
+ name = grub-set-password;
+ common = util/grub-set-password.in;
+ mansection = 8;
+ installdir = sbin;
+};
+
script = {
name = grub-mkconfig_lib;
common = util/grub-mkconfig_lib.in;
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index c645351dd2a..4e7a875309e 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -282,6 +282,8 @@ for i in "${grub_mkconfig_dir}"/* ; do
*~) ;;
# emacsen autosave files. FIXME: support other editors
*/\#*\#) ;;
+ # rpm config files of yore.
+ *.rpmsave|*.rpmnew|*.rpmorig) ;;
*)
if grub_file_is_not_garbage "$i" && test -x "$i" ; then
echo
diff --git a/util/grub-set-password.8 b/util/grub-set-password.8
new file mode 100644
index 00000000000..9646546e43d
--- /dev/null
+++ b/util/grub-set-password.8
@@ -0,0 +1,28 @@
+.TH GRUB-SET-PASSWORD 3 "Thu Jun 25 2015"
+.SH NAME
+\fBgrub-set-password\fR \(em Generate the user.cfg file containing the hashed grub bootloader password.
+
+.SH SYNOPSIS
+\fBgrub-set-password\fR [OPTION]
+
+.SH DESCRIPTION
+\fBgrub-set-password\fR outputs the user.cfg file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.
+
+The file has the format:
+GRUB2_PASSWORD=<\fIhashed password\fR>.
+
+.SH OPTIONS
+.TP
+-h, --help
+Display program usage and exit.
+.TP
+-v, --version
+Display the current version.
+.TP
+-o, --output=<\fIDIRECTORY\fR>
+Choose the file path to which user.cfg will be written.
+
+.SH SEE ALSO
+.BR "info grub"
+
+.BR "info grub2-mkpasswd-pbkdf2"
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
new file mode 100644
index 00000000000..5ebf50576d6
--- /dev/null
+++ b/util/grub-set-password.in
@@ -0,0 +1,128 @@
+#!/bin/sh -e
+
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')
+if [ -d /sys/firmware/efi/efivars/ ]; then
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
+else
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
+fi
+
+PACKAGE_VERSION="@PACKAGE_VERSION@"
+PACKAGE_NAME="@PACKAGE_NAME@"
+self=`basename $0`
+bindir="@bindir@"
+grub_mkpasswd="${bindir}/@grub_mkpasswd_pbkdf2@"
+
+# Usage: usage
+# Print the usage.
+usage () {
+ cat <<EOF
+Usage: $0 [OPTION]
+$0 prompts the user to set a password on the grub bootloader. The password
+is written to a file named user.cfg which lives in the GRUB directory
+located by default at ${grubdir}.
+
+ -h, --help print this message and exit
+ -v, --version print the version information and exit
+ -o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
+
+Report bugs at https://bugzilla.redhat.com.
+EOF
+}
+
+argument () {
+ opt=$1
+ shift
+
+ if test $# -eq 0; then
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
+ exit 1
+ fi
+ echo $1
+}
+
+# Ensure that it's the root user running this script
+if [ "${EUID}" -ne 0 ]; then
+ echo "The grub bootloader password may only be set by root."
+ usage
+ exit 2
+fi
+
+# Check the arguments.
+while test $# -gt 0
+do
+ option=$1
+ shift
+
+ case "$option" in
+ -h | --help)
+ usage
+ exit 0 ;;
+ -v | --version)
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
+ exit 0 ;;
+ -o | --output)
+ OUTPUT_PATH=`argument $option "$@"`; shift ;;
+ --output=*)
+ OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;;
+ -o=*)
+ OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;;
+ esac
+done
+
+# set user input or default path for user.cfg file
+if [ -z "${OUTPUT_PATH}" ]; then
+ OUTPUT_PATH="${grubdir}"
+fi
+
+if [ ! -d "${OUTPUT_PATH}" ]; then
+ echo "${OUTPUT_PATH} does not exist."
+ usage
+ exit 2;
+fi
+
+ttyopt=$(stty -g)
+fixtty() {
+ stty ${ttyopt}
+}
+
+trap fixtty EXIT
+stty -echo
+
+# prompt & confirm new grub2 root user password
+echo -n "Enter password: "
+read PASSWORD
+echo
+echo -n "Confirm password: "
+read PASSWORD_CONFIRM
+echo
+stty ${ttyopt}
+
+getpass() {
+ local P0
+ local P1
+ P0="$1" && shift
+ P1="$1" && shift
+
+ ( echo ${P0} ; echo ${P1} ) | \
+ LC_ALL=C ${grub_mkpasswd} | \
+ grep -v '[eE]nter password:' | \
+ sed -e "s/PBKDF2 hash of your password is //"
+}
+
+MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")"
+if [ -z "${MYPASS}" ]; then
+ echo "${self}: error: empty password" 1>&2
+ exit 1
+fi
+
+# on the ESP, these will fail to set the permissions, but it's okay because
+# the directory is protected.
+install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
+chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
+echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg"
+
+if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then
+ echo "WARNING: The current configuration lacks password support!"
+ echo "Update your configuration with @grub_mkconfig@ to support this feature."
+fi
diff --git a/util/grub.d/01_users.in b/util/grub.d/01_users.in
new file mode 100644
index 00000000000..db2f44bfb78
--- /dev/null
+++ b/util/grub.d/01_users.in
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+cat << EOF
+if [ -f \${prefix}/user.cfg ]; then
+ source \${prefix}/user.cfg
+ if [ -n "\${GRUB2_PASSWORD}" ]; then
+ set superusers="root"
+ export superusers
+ password_pbkdf2 root \${GRUB2_PASSWORD}
+ fi
+fi
+EOF