Provided a tool for users to reset the grub2 root user password without having to alter the grub.cfg. The hashed password now lives in a root-only-readable configuration file.

Resolves: rhbz#985962 --- Makefile.util.def | 13 ++++++ configure.ac | 1 + util/grub-setpassword.in | 105 +++++++++++++++++++++++++++++++++++++++++++++++ util/grub.d/01_users.in | 11 +++++ 4 files changed, 130 insertions(+) create mode 100755 util/grub-setpassword.in create mode 100644 util/grub.d/01_users.in

diff --git a/Makefile.util.def b/Makefile.util.def index 3ac7572..e2821a2 100644 --- a/Makefile.util.def +++ b/Makefile.util.def @@ -438,6 +438,12 @@ script = { };

script = { + name = '01_users'; + common = util/grub.d/01_users.in; + installdir = grubconf; +}; + +script = { name = '10_windows'; common = util/grub.d/10_windows.in; installdir = grubconf; @@ -713,6 +719,13 @@ script = { };

script = { + name = grub-setpassword; + common = util/grub-setpassword.in; + mansection = 8; + installdir = sbin; +}; + +script = { name = grub-mkconfig_lib; common = util/grub-mkconfig_lib.in; installdir = noinst; diff --git a/configure.ac b/configure.ac index 671bf49..e4f6934 100644 --- a/configure.ac +++ b/configure.ac @@ -65,6 +65,7 @@ grub_TRANSFORM([grub-mkrelpath]) grub_TRANSFORM([grub-mkrescue]) grub_TRANSFORM([grub-probe]) grub_TRANSFORM([grub-reboot]) +grub_TRANSFORM([grub-setpassword]) grub_TRANSFORM([grub-rpm-sort]) grub_TRANSFORM([grub-script-check]) grub_TRANSFORM([grub-set-default]) diff --git a/util/grub-setpassword.in b/util/grub-setpassword.in new file mode 100755 index 0000000..fc0ccf1 --- /dev/null +++ b/util/grub-setpassword.in @@ -0,0 +1,105 @@ +#!/bin/sh -e + +grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'` +PACKAGE_VERSION="@PACKAGE_VERSION@" +PACKAGE_NAME="@PACKAGE_NAME@" +self=`basename $0` + +# Usage: usage +# Print the usage. +usage () { + cat <<EOF +Usage: $0 [OPTION] [SOURCE] +Run GRUB script in a Qemu instance. + + -h, --help print this message and exit + -v, --version print the version information and exit + -o, --output_path choose a custom output path for user.cfg + +$0 prompts the user to set a password on the grub bootloader. The password +is written to a file named user.cfg. + +Report bugs at https://bugzilla.redhat.com. +EOF +} + +argument () { + opt=$1 + shift + + if test $# -eq 0; then + gettext_printf "%s: option requires an argument -- `%s'\n" "$self" "$opt" 1>&2 + exit 1 + fi + echo $1 +} + +# Ensure that it's the root user running this script +if [ "${EUID}" -ne 0 ]; then + echo "The grub bootloader password may only be set by root." + usage + exit 2 +fi + +# Check the arguments. +while test $# -gt 0 +do + option=$1 + shift + + case "$option" in + -h | --help) + usage + exit 0 ;; + -v | --version) + echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}" + exit 0 ;; + -o | --output) + OUTPUT_PATH=`argument $option "$@"`; shift ;; + --output=*) + OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;; + -o=*) + OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;; + esac +done + +# set user input or default path for user.cfg file +if [ -z "${OUTPUT_PATH}" ]; then + OUTPUT_PATH="${grubdir}" +fi + +if [ ! -d "${OUTPUT_PATH}" ]; then + echo "${OUTPUT_PATH} does not exist." + usage + exit 2; +fi + +ttyopt=$(stty -g) +stty -echo +# prompt & confirm new grub2 root user password +echo -n "Enter password: " +read PASSWORD +echo +echo -n "Confirm password: " +read PASSWORD_CONFIRM +echo +stty ${ttyopt} + +# Capture Tool Output +MYPASS=$(( echo "${PASSWORD}" ; echo "${PASSWORD_CONFIRM}" ) | \ + /usr/bin/grub2-mkpasswd-pbkdf2 2>&1 | \ + grep -v "[eE]nter password:" | \ + sed -e "s/PBKDF2 hash of your password is //") +# Handle tool errors +if ERROR_CHECK=$(echo "${MYPASS}" | grep -o "error: .*") ; then + echo "${ERROR_CHECK}" +elif [ -n "${MYPASS}" ]; then + echo "GRUB2_PASSWORD=${MYPASS}" 2>&1 > "${grubdir}/user.cfg" + echo "The bootloader password has been set." + exit 0 +else + echo "Unhandled error." +fi + +# If the password file wasn't created, then it's an error state +exit 1 diff --git a/util/grub.d/01_users.in b/util/grub.d/01_users.in new file mode 100644 index 0000000..facd409 --- /dev/null +++ b/util/grub.d/01_users.in @@ -0,0 +1,11 @@ +#!/bin/sh -e +cat << EOF +if [ -f ${prefix}/user.cfg ]; then + source ${prefix}/user.cfg + if [ -n ${GRUB2_PASSWORD} ]; then + set superusers="root" + export superusers + password_pbkdf2 root ${GRUB2_PASSWORD} + fi +fi +EOF