Greetings from Munich! I talked at FOSDEM with Vladimir Serbinenko about the patches we have on top of Ubuntu patches in the grub2 package in our current LiMux release based on Ubuntu 14.04 (trusty).
The main reason why we have a patched version is to restrict the fallback options using a password provided by the administrators (see attachment). The fallback options basically provide the possibility to drop to a root shell, which is not what you want on client systems in a large enterprise environment. There is a way to set a password in the Ubuntu package. I haven't looked up in which way that mechanism comes from upstream grub or is added by debian/ubuntu. Anyway it lets you set a password for all the entries or for none. Thus we use the debian debconf mechanism to set a password for the fallback options only. We very much appreciate the proposal for adding a simple configuration interface as presented at FOSDEM. Please keep our use case in mind while developing. I guess every desktop distribution would benefit from it, since most of them have such fallback options. Max
--- a/util/grub.d/00_header.in +++ b/util/grub.d/00_header.in @@ -388,3 +388,14 @@ if [ "x${GRUB_BADRAM}" != "x" ] ; then echo "badram ${GRUB_BADRAM}" fi + +# +# Setting up lhm password protection with password read from debconf param. +# +if [ "$secure_recovery_shell" = "true" ]; then + grubsu_GRUB_PASSWORD=$(debconf-show grub-pc | grep grub-pc/grub_password | awk '{ print $NF }') + echo "set superusers='grubsu'" + echo "password_pbkdf2 grubsu $grubsu_GRUB_PASSWORD" +fi + + --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -114,9 +114,12 @@ if [ x$type != xsimple ] ; then case $type in recovery) - title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" + ;; *) - title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; + title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" + ;; esac if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" @@ -124,9 +127,9 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ "$quick_boot" = 1 ]; then echo " recordfail" | sed "s/^/$submenu_indentation/" --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -393,3 +393,12 @@ sed -e "s/^/$grub_tab/" } +# +# Get debconf parameter without +# +secure_recovery_shell=$(debconf-show grub-pc | grep grub-pc/secure_recoveryshell | awk '{ print $NF }') +[ -n "$secure_recovery_shell" ] || secure_recovery_shell="true" +[ "$secure_recovery_shell" = "false" ] || permission="--unrestricted" + + + --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -89,6 +89,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with Hurd %s (%s)" "${OS}" "${kernel_base}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" oldtitle="$OS using $kernel_base ($GRUB_RECOVERY_TITLE)" else title="$(gettext_printf "%s, with Hurd %s" "${OS}" "${kernel_base}")" @@ -100,11 +101,11 @@ grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")" fi sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} { EOF else sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} { EOF fi --- a/util/grub.d/10_illumos.in +++ b/util/grub.d/10_illumos.in @@ -34,7 +34,7 @@ ;; esac -echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" +echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} {" save_default_entry | grub_add_tab prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab message="$(gettext_printf "Loading kernel of Illumos ...")" --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -77,6 +77,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with kFreeBSD %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with kFreeBSD %s" "${os}" "${version}")" fi @@ -86,9 +87,9 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -103,6 +103,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with kernel %s (via %s, %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with kernel %s (via %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}")" fi @@ -113,9 +114,9 @@ grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" --- a/util/grub.d/10_windows.in +++ b/util/grub.d/10_windows.in @@ -84,7 +84,7 @@ gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2 cat << EOF -menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { +menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' ${permission} { EOF save_default_entry | sed -e 's,^,$grub_tab,' --- a/util/grub.d/10_xnu.in +++ b/util/grub.d/10_xnu.in @@ -37,7 +37,7 @@ # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")" cat << EOF -menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { +menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -94,6 +94,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with Xen %s and Linux %s (%s)" "${os}" "${xen_version}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with Xen %s and Linux %s" "${os}" "${xen_version}" "${version}")" fi @@ -103,10 +104,10 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else title="$(gettext_printf "%s, with Xen hypervisor" "${os}")" - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -67,7 +67,7 @@ # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -177,7 +177,7 @@ found_other_os=1 onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -210,7 +210,7 @@ DEVICE=${DEVICE%@*} onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" @@ -268,7 +268,7 @@ if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then cat << EOF -menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { +menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' ${permission} { EOF save_default_entry | grub_add_tab printf '%s\n' "${prepare_boot_cache}" @@ -326,7 +326,7 @@ found_other_os=1 onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -351,7 +351,7 @@ ;; minix) cat << EOF -menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" { +menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${permission} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" --- a/util/grub.d/30_uefi-firmware.in +++ b/util/grub.d/30_uefi-firmware.in @@ -39,7 +39,7 @@ onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' { +menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' ${permission} { fwsetup } EOF
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel