-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 27.12.2015 18:03, Andrei Borzenkov wrote: > 27.12.2015 00:17, Robin Schneider пишет: >> I am sorry for the misunderstanding. I should have explained the >> indention behind my patch a bit better then just linking to another patch >> which makes use of the newly introduced variables by this patch. >> >> My indented use case is to allow to add options like '--unrestricted' or >> '--users "Jane"' to each menuentry generated by grub-mkconfig without >> altering the scripts itself. > > Oh, no, sorry. CLASS is for adding --class option and --class option is for > defining icon used to represent menu entry. Please do not misuse it for > something else.
Sorry for that. > I try to understand possible use cases. > > Please get a look at > https://lists.gnu.org/archive/html/grub-devel/2015-05/msg00170.html thread. > SUSE has actually implemented my suggestion. This gives us "all menu > entries unrestricted" case. The patch suggested would not allow to overwrite icons via the --class option. Otherwise it looks very similar to mine :) > > Do you really have situation where you need separate category of users that > won't have access to CLI but will be the *only* users allowed to select > non-default menu entry? Moreover, do you really need to allow different > users to boot different categories of menu entries? I personally don’t need either right now. The "all menu entries unrestricted" thing is enough for me. But allowing to specify a user instead of - --unrestricted to all menu entries should not make this patch more complected so I still would like to allow it. I attached an updated patch :) Although I don’t need either of those features, I still think that they can be useful. For example, you want to use --unrestricted for the default boot entry, but boot images like memtest+ (as packaged by Debian [1]) only for authenticated user(s). Another example would be when users put DBAN into the boot menu :) (Sure, memtest+ and DBAN are not included in upstream grub.d, but it should emphasize the point that it can make sense to restrict based on type of bootable image/system). Another reason for restricting based on type might be if you have installed a distribution/OS (which is not the default entry), lets say windows, which the administrator thinks could be used to manipulate the GRUB or other configuration on the system when booted thus restricting it with a separate user (--users). [1]: https://packages.debian.org/jessie/memtest86+ You can chose if you want to apply my updated/simplified patch, my previous patch allowing restricts based on type or the patch from Michael Chang (or none of the above :) ). >> BTW: The efi menuentry has the class 'windows'. Is that correct? My >> patch assumes that this menuentry is indented for UEFI applications. >> > > Well, so far upstream os-prober only detects Windows on EFI. But yes, SUSE > includes additional script. > > See https://lists.gnu.org/archive/html/grub-devel/2015-12/msg00103.html - > does it address your concern? Yes. Looks good. - -- Live long and prosper Robin `ypid` Schneider -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWgE2fAAoJEIb9mAu/GkD4DroP+wS3d8pVE+fZJy3VdHmZdU9r AwTv5Q97tnRM1HqwtGMCxr04btJsUWSpX9BOkrNGYzODJtHPaP20ZPQMEKQmg7sE 5GJoGtA0KVhuvkeuuLaE03vNQciLn9RGPWNJDK4GiB886zjThuVhUTxvVABMkMtG ox66//9O3DmGCyMrBah+Up1K0o9FncoYomQuL3UwD8TDjzoIDODMQKhRffP3hles WKxmswK+johunOV8cme1GuropJ14Yb1bNxkiCA/JzSqo3cnuB6WZ58SvoAE9nZMN YAeDQ5GhI2uMV6wCCI62zKTe65eut8EhlIB///ZwY5Rd/NiODfIbodzMDTaNOqy/ Rxd1dIb2natuIkbvhJXPuy9VSNkLrR6c0cJI3AY4lDCNFe4Z6ck9aS9PgVKJ+QBZ 7O8Tl8gmL1K8MJ+RLeEODOwG1GNtdXe+q0KLmA8Vm6qoI+Xquqogcdq2rhDS6Xha u6K72fTfG7WYY4F0ol2Go7jzkYEojOJ9ezTFRK+lJi88PMFYhUTXLkVL311cWkho 9SRSPQoLVz0Tp+pt7g4L+YGQKyi54fe4+T966JT9JlStn1TjIkbfcqJdGiOabw0K mCWujseeNEYTJmLEMSMihljjlUOi3sbuKUCPWpyLClGiXxGq3j8aO+NmDhwEtJ3U bdERiXtbRktkDoCxojGJ =FW7J -----END PGP SIGNATURE-----
>From 4ca4265ebf23d07405d3f4218d3ed6d858b4e1c5 Mon Sep 17 00:00:00 2001 From: Robin Schneider <[email protected]> Date: Sat, 26 Dec 2015 21:53:30 +0100 Subject: [PATCH] Added GRUB_MENU_ENTRY_OPTIONS variable to add options to menu entries. Useful for making each menuentry '--unrestricted' when using GRUBs password protection feature. Ansible role which makes use of this patch: https://github.com/debops/ansible-grub/pull/7 My indented use case is to allow to add options like '--unrestricted' or '--users "Jane"' to each menuentry generated by grub-mkconfig without altering the scripts itself. Although the scripts end up under /etc in Debian, I did not think that changing these files (and `dpkg-divert`ing them) would be such a good idea. I have been searching for how to configure password protection and I did only find "hacks" which either suggest to edit the grub config under /boot/grub (which is totally outdated because the configurations is automatically generated in Debian) or change the "CLASS" variable in the grub.d scripts [12]0_.* scripts. So I did go with the later option. Patching these scripts with configuration management was not ideal so I decided to propose this patch upstream. With this patch in place it will be possible to configure this in /etc/default/grub without touching the scripts. This patch addresses the issue which is mentioned in this article (At least when the assumption is true that all menuentry of the same distribution should get the same restrictions/options): https://help.ubuntu.com/community/Grub2/Passwords#Protecting_Menuentries "There is currently no automated method of adding users or designating menu items to be protected. The user must manually edit the GRUB 2 scripts." --- util/grub-mkconfig.in | 3 ++- util/grub.d/10_hurd.in | 4 ++-- util/grub.d/10_illumos.in | 2 +- util/grub.d/10_kfreebsd.in | 4 ++-- util/grub.d/10_linux.in | 4 ++-- util/grub.d/10_netbsd.in | 4 ++-- util/grub.d/10_windows.in | 2 +- util/grub.d/10_xnu.in | 2 +- util/grub.d/20_linux_xen.in | 4 ++-- util/grub.d/30_os-prober.in | 14 +++++++------- 10 files changed, 22 insertions(+), 21 deletions(-) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index 3183744..8c6747b 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -227,7 +227,8 @@ export GRUB_DEFAULT \ GRUB_ENABLE_CRYPTODISK \ GRUB_BADRAM \ GRUB_OS_PROBER_SKIP_LIST \ - GRUB_DISABLE_SUBMENU + GRUB_DISABLE_SUBMENU \ + GRUB_MENU_ENTRY_OPTIONS if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_hurd.in b/util/grub.d/10_hurd.in index 59a9a48..8dadaaa 100644 --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -100,11 +100,11 @@ hurd_entry () { grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")" fi sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF else sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF fi diff --git a/util/grub.d/10_illumos.in b/util/grub.d/10_illumos.in index a133e1b..799cf26 100644 --- a/util/grub.d/10_illumos.in +++ b/util/grub.d/10_illumos.in @@ -34,7 +34,7 @@ case "${GRUB_DISTRIBUTOR}" in ;; esac -echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" +echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" save_default_entry | grub_add_tab prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab message="$(gettext_printf "Loading kernel of Illumos ...")" diff --git a/util/grub.d/10_kfreebsd.in b/util/grub.d/10_kfreebsd.in index 9d8e8fd..ba45601 100644 --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -86,9 +86,9 @@ kfreebsd_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in index 859b608..535eeda 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -90,9 +90,9 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab diff --git a/util/grub.d/10_netbsd.in b/util/grub.d/10_netbsd.in index 874f599..8587456 100644 --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -113,9 +113,9 @@ netbsd_entry () grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_windows.in b/util/grub.d/10_windows.in index 554c561..3f120f1 100644 --- a/util/grub.d/10_windows.in +++ b/util/grub.d/10_windows.in @@ -84,7 +84,7 @@ for drv in $drives ; do gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2 cat << EOF -menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { EOF save_default_entry | sed -e 's,^,$grub_tab,' diff --git a/util/grub.d/10_xnu.in b/util/grub.d/10_xnu.in index 51ee2f4..1d2c45a 100644 --- a/util/grub.d/10_xnu.in +++ b/util/grub.d/10_xnu.in @@ -37,7 +37,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")" cat << EOF -menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { +menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in index f532fb9..c655179 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -98,10 +98,10 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else title="$(gettext_printf "%s, with Xen hypervisor" "${os}")" - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in index 5fc4f0c..8be9c69 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -52,7 +52,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -142,7 +142,7 @@ for OS in ${OSPROBED} ; do onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -174,7 +174,7 @@ EOF DEVICE=${DEVICE%@*} onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" @@ -230,7 +230,7 @@ EOF if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then cat << EOF -menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { +menuentry '$(echo "$OS $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { EOF save_default_entry | grub_add_tab printf '%s\n' "${prepare_boot_cache}" @@ -250,7 +250,7 @@ EOF fi title="${LLABEL} $onstr" cat << EOF - menuentry '$(echo "$title" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { + menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { EOF save_default_entry | sed -e "s/^/$grub_tab$grub_tab/" printf '%s\n' "${prepare_boot_cache}" | grub_add_tab @@ -287,7 +287,7 @@ EOF hurd) onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -312,7 +312,7 @@ EOF ;; minix) cat << EOF -menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" { +menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${GRUB_MENU_ENTRY_OPTIONS} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" -- 2.1.4
0001-Added-GRUB_MENU_ENTRY_OPTIONS-variable-to-add-option.patch.sig
Description: PGP signature
_______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
