2018-07-12 14:56:34 +00:00
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2015-07-22 13:44:51 +00:00
From: Robert Marshall <rmarshall@redhat.com>
Date: Thu, 25 Jun 2015 11:13:11 -0400
2018-07-10 18:39:10 +00:00
Subject: [PATCH] Add friendly grub2 password config tool (#985962)
2015-07-22 13:44:51 +00:00
Provided a tool for users to reset the grub2 root user password
without having to alter the grub.cfg. The hashed password now
lives in a root-only-readable configuration file.
Resolves: rhbz#985962
2019-07-16 09:23:51 +00:00
Signed-off-by: Robert Marshall <rmarshall@redhat.com>
[pjones: fix the efidir in grub-setpassword and rename tool]
Signed-off-by: Peter Jones <pjones@redhat.com>
[luto: fix grub-setpassword -o's output path]
Andy Lutomirski <luto@kernel.org>
2015-07-22 13:44:51 +00:00
---
2019-07-16 09:23:51 +00:00
configure.ac | 1 +
Makefile.util.def | 13 +++++
util/grub-mkconfig.in | 2 +
util/grub-set-password.8 | 28 ++++++++++
util/grub-set-password.in | 128 ++++++++++++++++++++++++++++++++++++++++++++++
util/grub.d/01_users.in | 11 ++++
2019-08-15 06:01:31 +00:00
6 files changed, 183 insertions(+)
2019-07-16 09:23:51 +00:00
create mode 100644 util/grub-set-password.8
create mode 100644 util/grub-set-password.in
2015-07-22 13:44:51 +00:00
create mode 100644 util/grub.d/01_users.in
2018-02-27 18:56:41 +00:00
diff --git a/configure.ac b/configure.ac
2022-03-21 17:54:55 +00:00
index bec8535af70..22d289eacb9 100644
2018-02-27 18:56:41 +00:00
--- a/configure.ac
+++ b/configure.ac
2021-03-12 21:54:28 +00:00
@@ -72,6 +72,7 @@ grub_TRANSFORM([grub-mkrelpath])
2018-02-27 18:56:41 +00:00
grub_TRANSFORM([grub-mkrescue])
grub_TRANSFORM([grub-probe])
grub_TRANSFORM([grub-reboot])
2019-07-16 09:23:51 +00:00
+grub_TRANSFORM([grub-set-password])
2018-02-27 18:56:41 +00:00
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
2022-03-21 17:54:55 +00:00
grub_TRANSFORM([grub-sparc64-setup])
2015-07-22 13:44:51 +00:00
diff --git a/Makefile.util.def b/Makefile.util.def
2022-03-21 17:54:55 +00:00
index 2c9b283a230..4ee22c5daad 100644
2015-07-22 13:44:51 +00:00
--- a/Makefile.util.def
+++ b/Makefile.util.def
2021-03-12 21:54:28 +00:00
@@ -452,6 +452,12 @@ script = {
2018-01-17 20:40:19 +00:00
installdir = grubconf;
2015-07-22 13:44:51 +00:00
};
2018-01-17 20:40:19 +00:00
+script = {
2015-07-22 13:44:51 +00:00
+ name = '01_users';
+ common = util/grub.d/01_users.in;
+ installdir = grubconf;
+};
+
2018-01-17 20:40:19 +00:00
script = {
2015-07-22 13:44:51 +00:00
name = '10_windows';
common = util/grub.d/10_windows.in;
2022-03-21 17:54:55 +00:00
@@ -724,6 +730,13 @@ script = {
2018-01-17 20:40:19 +00:00
installdir = sbin;
2015-07-22 13:44:51 +00:00
};
2018-01-17 20:40:19 +00:00
+script = {
2019-07-16 09:23:51 +00:00
+ name = grub-set-password;
+ common = util/grub-set-password.in;
2015-07-22 13:44:51 +00:00
+ mansection = 8;
+ installdir = sbin;
+};
+
2018-01-17 20:40:19 +00:00
script = {
2015-07-22 13:44:51 +00:00
name = grub-mkconfig_lib;
common = util/grub-mkconfig_lib.in;
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
2021-06-14 08:48:27 +00:00
index 8ea2315ebc2..ba14cf6261c 100644
2015-07-22 13:44:51 +00:00
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
2021-06-14 08:48:27 +00:00
@@ -276,6 +276,8 @@ for i in "${grub_mkconfig_dir}"/* ; do
2015-07-22 13:44:51 +00:00
*~) ;;
# emacsen autosave files. FIXME: support other editors
*/\#*\#) ;;
+ # rpm config files of yore.
+ *.rpmsave|*.rpmnew|*.rpmorig) ;;
*)
if grub_file_is_not_garbage "$i" && test -x "$i" ; then
echo
2019-07-16 09:23:51 +00:00
diff --git a/util/grub-set-password.8 b/util/grub-set-password.8
2015-07-22 13:44:51 +00:00
new file mode 100644
2019-07-16 09:23:51 +00:00
index 00000000000..9646546e43d
2015-07-22 13:44:51 +00:00
--- /dev/null
2019-07-16 09:23:51 +00:00
+++ b/util/grub-set-password.8
2015-07-22 13:44:51 +00:00
@@ -0,0 +1,28 @@
2019-07-16 09:23:51 +00:00
+.TH GRUB-SET-PASSWORD 3 "Thu Jun 25 2015"
2015-07-22 13:44:51 +00:00
+.SH NAME
2019-07-16 09:23:51 +00:00
+\fBgrub-set-password\fR \(em Generate the user.cfg file containing the hashed grub bootloader password.
2015-07-22 13:44:51 +00:00
+
+.SH SYNOPSIS
2019-07-16 09:23:51 +00:00
+\fBgrub-set-password\fR [OPTION]
2015-07-22 13:44:51 +00:00
+
+.SH DESCRIPTION
2019-07-16 09:23:51 +00:00
+\fBgrub-set-password\fR outputs the user.cfg file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.
2015-07-22 13:44:51 +00:00
+
+The file has the format:
2016-08-25 18:42:57 +00:00
+GRUB2_PASSWORD=<\fIhashed password\fR>.
2015-07-22 13:44:51 +00:00
+
+.SH OPTIONS
+.TP
+-h, --help
+Display program usage and exit.
+.TP
+-v, --version
+Display the current version.
+.TP
2019-07-16 09:23:51 +00:00
+-o, --output=<\fIDIRECTORY\fR>
2015-07-22 13:44:51 +00:00
+Choose the file path to which user.cfg will be written.
+
+.SH SEE ALSO
+.BR "info grub"
+
+.BR "info grub2-mkpasswd-pbkdf2"
2019-07-16 09:23:51 +00:00
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
2015-07-22 13:44:51 +00:00
new file mode 100644
2019-07-16 09:23:51 +00:00
index 00000000000..5ebf50576d6
2015-07-22 13:44:51 +00:00
--- /dev/null
2019-07-16 09:23:51 +00:00
+++ b/util/grub-set-password.in
@@ -0,0 +1,128 @@
2015-07-22 13:44:51 +00:00
+#!/bin/sh -e
+
2019-07-16 09:23:51 +00:00
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')
2015-07-22 13:44:51 +00:00
+if [ -d /sys/firmware/efi/efivars/ ]; then
2019-07-16 09:23:51 +00:00
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
2015-07-22 13:44:51 +00:00
+else
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
+fi
+
+PACKAGE_VERSION="@PACKAGE_VERSION@"
+PACKAGE_NAME="@PACKAGE_NAME@"
+self=`basename $0`
+bindir="@bindir@"
+grub_mkpasswd="${bindir}/@grub_mkpasswd_pbkdf2@"
+
+# Usage: usage
+# Print the usage.
+usage () {
+ cat <<EOF
2019-07-16 09:23:51 +00:00
+Usage: $0 [OPTION]
2015-07-22 13:44:51 +00:00
+$0 prompts the user to set a password on the grub bootloader. The password
2019-07-16 09:23:51 +00:00
+is written to a file named user.cfg which lives in the GRUB directory
+located by default at ${grubdir}.
+
+ -h, --help print this message and exit
+ -v, --version print the version information and exit
+ -o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
2015-07-22 13:44:51 +00:00
+
+Report bugs at https://bugzilla.redhat.com.
+EOF
+}
+
+argument () {
+ opt=$1
+ shift
+
+ if test $# -eq 0; then
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
+ exit 1
+ fi
+ echo $1
+}
+
+# Ensure that it's the root user running this script
+if [ "${EUID}" -ne 0 ]; then
+ echo "The grub bootloader password may only be set by root."
+ usage
+ exit 2
+fi
+
+# Check the arguments.
+while test $# -gt 0
+do
+ option=$1
+ shift
+
+ case "$option" in
+ -h | --help)
+ usage
+ exit 0 ;;
+ -v | --version)
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
+ exit 0 ;;
+ -o | --output)
+ OUTPUT_PATH=`argument $option "$@"`; shift ;;
+ --output=*)
+ OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;;
+ -o=*)
+ OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;;
+ esac
+done
+
+# set user input or default path for user.cfg file
+if [ -z "${OUTPUT_PATH}" ]; then
+ OUTPUT_PATH="${grubdir}"
+fi
+
+if [ ! -d "${OUTPUT_PATH}" ]; then
+ echo "${OUTPUT_PATH} does not exist."
+ usage
+ exit 2;
+fi
+
+ttyopt=$(stty -g)
+fixtty() {
+ stty ${ttyopt}
+}
+
+trap fixtty EXIT
+stty -echo
+
+# prompt & confirm new grub2 root user password
+echo -n "Enter password: "
+read PASSWORD
+echo
+echo -n "Confirm password: "
+read PASSWORD_CONFIRM
+echo
+stty ${ttyopt}
+
+getpass() {
+ local P0
+ local P1
+ P0="$1" && shift
+ P1="$1" && shift
+
+ ( echo ${P0} ; echo ${P1} ) | \
2019-07-16 09:23:51 +00:00
+ LC_ALL=C ${grub_mkpasswd} | \
2015-07-22 13:44:51 +00:00
+ grep -v '[eE]nter password:' | \
+ sed -e "s/PBKDF2 hash of your password is //"
+}
+
+MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")"
+if [ -z "${MYPASS}" ]; then
+ echo "${self}: error: empty password" 1>&2
+ exit 1
+fi
+
+# on the ESP, these will fail to set the permissions, but it's okay because
+# the directory is protected.
2019-07-16 09:23:51 +00:00
+install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
+chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
+echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg"
+
+if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then
+ echo "WARNING: The current configuration lacks password support!"
+ echo "Update your configuration with @grub_mkconfig@ to support this feature."
+fi
2015-07-22 13:44:51 +00:00
diff --git a/util/grub.d/01_users.in b/util/grub.d/01_users.in
new file mode 100644
2018-02-27 18:56:41 +00:00
index 00000000000..db2f44bfb78
2015-07-22 13:44:51 +00:00
--- /dev/null
+++ b/util/grub.d/01_users.in
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+cat << EOF
+if [ -f \${prefix}/user.cfg ]; then
+ source \${prefix}/user.cfg
2016-08-25 18:42:57 +00:00
+ if [ -n "\${GRUB2_PASSWORD}" ]; then
2015-07-22 13:44:51 +00:00
+ set superusers="root"
+ export superusers
+ password_pbkdf2 root \${GRUB2_PASSWORD}
+ fi
+fi
+EOF