From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Robert Marshall <rmarshall@redhat.com> Date: Thu, 25 Jun 2015 11:13:11 -0400 Subject: [PATCH] Add friendly grub2 password config tool (#985962) Provided a tool for users to reset the grub2 root user password without having to alter the grub.cfg. The hashed password now lives in a root-only-readable configuration file. Resolves: rhbz#985962 --- configure.ac | 1 + Makefile.util.def | 13 +++++ .gitignore | 2 + util/grub-mkconfig.in | 2 + util/grub-setpassword.8 | 28 +++++++++++ util/grub-setpassword.in | 123 +++++++++++++++++++++++++++++++++++++++++++++++ util/grub.d/01_users.in | 11 +++++ 7 files changed, 180 insertions(+) create mode 100644 util/grub-setpassword.8 create mode 100644 util/grub-setpassword.in create mode 100644 util/grub.d/01_users.in diff --git a/configure.ac b/configure.ac index 056df1cbaf9..679f634ce4c 100644 --- a/configure.ac +++ b/configure.ac @@ -65,6 +65,7 @@ grub_TRANSFORM([grub-mkrelpath]) grub_TRANSFORM([grub-mkrescue]) grub_TRANSFORM([grub-probe]) grub_TRANSFORM([grub-reboot]) +grub_TRANSFORM([grub-setpassword]) grub_TRANSFORM([grub-rpm-sort]) grub_TRANSFORM([grub-script-check]) grub_TRANSFORM([grub-set-default]) diff --git a/Makefile.util.def b/Makefile.util.def index 406d96861b6..fd91045bd6d 100644 --- a/Makefile.util.def +++ b/Makefile.util.def @@ -440,6 +440,12 @@ script = { installdir = grubconf; }; +script = { + name = '01_users'; + common = util/grub.d/01_users.in; + installdir = grubconf; +}; + script = { name = '10_windows'; common = util/grub.d/10_windows.in; @@ -722,6 +728,13 @@ script = { installdir = sbin; }; +script = { + name = grub-setpassword; + common = util/grub-setpassword.in; + mansection = 8; + installdir = sbin; +}; + script = { name = grub-mkconfig_lib; common = util/grub-mkconfig_lib.in; diff --git a/.gitignore b/.gitignore index fa2e5b609b1..5066689bc0a 100644 --- a/.gitignore +++ b/.gitignore @@ -111,6 +111,8 @@ grub-*.tar.* /grub*-script-check.1 /grub*-set-default /grub*-set-default.8 +/grub*-setsetpassword +/grub*-setsetpassword.8 /grub*-shell /grub*-shell-tester /grub*-sparc64-setup diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index f68d4925ee6..bdb9982aefb 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -282,6 +282,8 @@ for i in "${grub_mkconfig_dir}"/* ; do *~) ;; # emacsen autosave files. FIXME: support other editors */\#*\#) ;; + # rpm config files of yore. + *.rpmsave|*.rpmnew|*.rpmorig) ;; *) if grub_file_is_not_garbage "$i" && test -x "$i" ; then echo diff --git a/util/grub-setpassword.8 b/util/grub-setpassword.8 new file mode 100644 index 00000000000..49200a848b7 --- /dev/null +++ b/util/grub-setpassword.8 @@ -0,0 +1,28 @@ +.TH GRUB-SETPASSWORD 3 "Thu Jun 25 2015" +.SH NAME +\fBgrub-setpassword\fR \(em Generate the user.cfg file containing the hashed grub bootloader password. + +.SH SYNOPSIS +\fBgrub-setpassword\fR [OPTION] + +.SH DESCRIPTION +\fBgrub-setpassword\fR outputs the user.cfg file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user. + +The file has the format: +GRUB2_PASSWORD=<\fIhashed password\fR>. + +.SH OPTIONS +.TP +-h, --help +Display program usage and exit. +.TP +-v, --version +Display the current version. +.TP +-o, --output[=\fIDIRECTORY PATH\fR] +Choose the file path to which user.cfg will be written. + +.SH SEE ALSO +.BR "info grub" + +.BR "info grub2-mkpasswd-pbkdf2" diff --git a/util/grub-setpassword.in b/util/grub-setpassword.in new file mode 100644 index 00000000000..dd76f00fc0e --- /dev/null +++ b/util/grub-setpassword.in @@ -0,0 +1,123 @@ +#!/bin/sh -e + +if [ -d /sys/firmware/efi/efivars/ ]; then + grubdir=`echo "/@bootdirname@/efi/EFI/redhat/" | sed 's,//*,/,g'` +else + grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'` +fi + +PACKAGE_VERSION="@PACKAGE_VERSION@" +PACKAGE_NAME="@PACKAGE_NAME@" +self=`basename $0` +bindir="@bindir@" +grub_mkpasswd="${bindir}/@grub_mkpasswd_pbkdf2@" + +# Usage: usage +# Print the usage. +usage () { + cat <<EOF +Usage: $0 [OPTION] [SOURCE] +Run GRUB script in a Qemu instance. + + -h, --help print this message and exit + -v, --version print the version information and exit + -o, --output_path choose a custom output path for user.cfg + +$0 prompts the user to set a password on the grub bootloader. The password +is written to a file named user.cfg. + +Report bugs at https://bugzilla.redhat.com. +EOF +} + +argument () { + opt=$1 + shift + + if test $# -eq 0; then + gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2 + exit 1 + fi + echo $1 +} + +# Ensure that it's the root user running this script +if [ "${EUID}" -ne 0 ]; then + echo "The grub bootloader password may only be set by root." + usage + exit 2 +fi + +# Check the arguments. +while test $# -gt 0 +do + option=$1 + shift + + case "$option" in + -h | --help) + usage + exit 0 ;; + -v | --version) + echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}" + exit 0 ;; + -o | --output) + OUTPUT_PATH=`argument $option "$@"`; shift ;; + --output=*) + OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;; + -o=*) + OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;; + esac +done + +# set user input or default path for user.cfg file +if [ -z "${OUTPUT_PATH}" ]; then + OUTPUT_PATH="${grubdir}" +fi + +if [ ! -d "${OUTPUT_PATH}" ]; then + echo "${OUTPUT_PATH} does not exist." + usage + exit 2; +fi + +ttyopt=$(stty -g) +fixtty() { + stty ${ttyopt} +} + +trap fixtty EXIT +stty -echo + +# prompt & confirm new grub2 root user password +echo -n "Enter password: " +read PASSWORD +echo +echo -n "Confirm password: " +read PASSWORD_CONFIRM +echo +stty ${ttyopt} + +getpass() { + local P0 + local P1 + P0="$1" && shift + P1="$1" && shift + + ( echo ${P0} ; echo ${P1} ) | \ + ${grub_mkpasswd} | \ + grep -v '[eE]nter password:' | \ + sed -e "s/PBKDF2 hash of your password is //" +} + +MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")" +if [ -z "${MYPASS}" ]; then + echo "${self}: error: empty password" 1>&2 + exit 1 +fi + +# on the ESP, these will fail to set the permissions, but it's okay because +# the directory is protected. +install -m 0600 /dev/null "${grubdir}/user.cfg" 2>/dev/null || : +chmod 0600 "${grubdir}/user.cfg" 2>/dev/null || : +echo "GRUB2_PASSWORD=${MYPASS}" > "${grubdir}/user.cfg" diff --git a/util/grub.d/01_users.in b/util/grub.d/01_users.in new file mode 100644 index 00000000000..db2f44bfb78 --- /dev/null +++ b/util/grub.d/01_users.in @@ -0,0 +1,11 @@ +#!/bin/sh -e +cat << EOF +if [ -f \${prefix}/user.cfg ]; then + source \${prefix}/user.cfg + if [ -n "\${GRUB2_PASSWORD}" ]; then + set superusers="root" + export superusers + password_pbkdf2 root \${GRUB2_PASSWORD} + fi +fi +EOF