Greetings from Munich!
I talked at FOSDEM with Vladimir Serbinenko about the patches we have on
top of Ubuntu patches in the grub2 package in our current LiMux release
based on Ubuntu 14.04 (trusty).
The main reason why we have a patched version is to restrict the
fallback options using a password provided by the administrators (see
attachment). The fallback options basically provide the possibility to
drop to a root shell, which is not what you want on client systems in a
large enterprise environment.
There is a way to set a password in the Ubuntu package. I haven't looked
up in which way that mechanism comes from upstream grub or is added by
debian/ubuntu. Anyway it lets you set a password for all the entries or
for none. Thus we use the debian debconf mechanism to set a password for
the fallback options only.
We very much appreciate the proposal for adding a simple configuration
interface as presented at FOSDEM. Please keep our use case in mind while
developing. I guess every desktop distribution would benefit from it,
since most of them have such fallback options.
Max
--- a/util/grub.d/00_header.in
+++ b/util/grub.d/00_header.in
@@ -388,3 +388,14 @@
if [ "x${GRUB_BADRAM}" != "x" ] ; then
echo "badram ${GRUB_BADRAM}"
fi
+
+#
+# Setting up lhm password protection with password read from debconf param.
+#
+if [ "$secure_recovery_shell" = "true" ]; then
+ grubsu_GRUB_PASSWORD=$(debconf-show grub-pc | grep grub-pc/grub_password | awk '{ print $NF }')
+ echo "set superusers='grubsu'"
+ echo "password_pbkdf2 grubsu $grubsu_GRUB_PASSWORD"
+fi
+
+
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -114,9 +114,12 @@
if [ x$type != xsimple ] ; then
case $type in
recovery)
- title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;
+ title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")"
+ [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu"
+ ;;
*)
- title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;;
+ title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")"
+ ;;
esac
if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
@@ -124,9 +127,9 @@
title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
else
- echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
fi
if [ "$quick_boot" = 1 ]; then
echo " recordfail" | sed "s/^/$submenu_indentation/"
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -393,3 +393,12 @@
sed -e "s/^/$grub_tab/"
}
+#
+# Get debconf parameter without
+#
+secure_recovery_shell=$(debconf-show grub-pc | grep grub-pc/secure_recoveryshell | awk '{ print $NF }')
+[ -n "$secure_recovery_shell" ] || secure_recovery_shell="true"
+[ "$secure_recovery_shell" = "false" ] || permission="--unrestricted"
+
+
+
--- a/util/grub.d/10_hurd.in
+++ b/util/grub.d/10_hurd.in
@@ -89,6 +89,7 @@
if [ x$type != xsimple ] ; then
if [ x$type = xrecovery ] ; then
title="$(gettext_printf "%s, with Hurd %s (%s)" "${OS}" "${kernel_base}" "$(gettext "${GRUB_RECOVERY_TITLE}")")"
+ [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu"
oldtitle="$OS using $kernel_base ($GRUB_RECOVERY_TITLE)"
else
title="$(gettext_printf "%s, with Hurd %s" "${OS}" "${kernel_base}")"
@@ -100,11 +101,11 @@
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")"
fi
sed "s/^/$submenu_indentation/" << EOF
-menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {
+menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} {
EOF
else
sed "s/^/$submenu_indentation/" << EOF
-menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {
+menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} {
EOF
fi
--- a/util/grub.d/10_illumos.in
+++ b/util/grub.d/10_illumos.in
@@ -34,7 +34,7 @@
;;
esac
-echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {"
+echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} {"
save_default_entry | grub_add_tab
prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab
message="$(gettext_printf "Loading kernel of Illumos ...")"
--- a/util/grub.d/10_kfreebsd.in
+++ b/util/grub.d/10_kfreebsd.in
@@ -77,6 +77,7 @@
if [ x$type != xsimple ] ; then
if [ x$type = xrecovery ] ; then
title="$(gettext_printf "%s, with kFreeBSD %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")"
+ [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu"
else
title="$(gettext_printf "%s, with kFreeBSD %s" "${os}" "${version}")"
fi
@@ -86,9 +87,9 @@
title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
else
- echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
fi
if [ x$type != xrecovery ] ; then
save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/"
--- a/util/grub.d/10_netbsd.in
+++ b/util/grub.d/10_netbsd.in
@@ -103,6 +103,7 @@
if [ x$type != xsimple ] ; then
if [ x$type = xrecovery ] ; then
title="$(gettext_printf "%s, with kernel %s (via %s, %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}" "$(gettext "${GRUB_RECOVERY_TITLE}")")"
+ [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu"
else
title="$(gettext_printf "%s, with kernel %s (via %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}")"
fi
@@ -113,9 +114,9 @@
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
else
- echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
fi
printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
--- a/util/grub.d/10_windows.in
+++ b/util/grub.d/10_windows.in
@@ -84,7 +84,7 @@
gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2
cat << EOF
-menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' {
+menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' ${permission} {
EOF
save_default_entry | sed -e 's,^,$grub_tab,'
--- a/util/grub.d/10_xnu.in
+++ b/util/grub.d/10_xnu.in
@@ -37,7 +37,7 @@
# TRANSLATORS: it refers on the OS residing on device %s
onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")"
cat << EOF
-menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' {
+menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' ${permission} {
EOF
save_default_entry | grub_add_tab
prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -94,6 +94,7 @@
if [ x$type != xsimple ] ; then
if [ x$type = xrecovery ] ; then
title="$(gettext_printf "%s, with Xen %s and Linux %s (%s)" "${os}" "${xen_version}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")"
+ [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu"
else
title="$(gettext_printf "%s, with Xen %s and Linux %s" "${os}" "${xen_version}" "${version}")"
fi
@@ -103,10 +104,10 @@
title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
else
title="$(gettext_printf "%s, with Xen hypervisor" "${os}")"
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/"
fi
if [ x$type != xrecovery ] ; then
save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/"
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@@ -67,7 +67,7 @@
# TRANSLATORS: it refers on the OS residing on device %s
onstr="$(gettext_printf "(on %s)" "${DEVICE}")"
cat << EOF
-menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' {
+menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' ${permission} {
EOF
save_default_entry | grub_add_tab
prepare_grub_to_access_device ${DEVICE} | grub_add_tab
@@ -177,7 +177,7 @@
found_other_os=1
onstr="$(gettext_printf "(on %s)" "${DEVICE}")"
cat << EOF
-menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' {
+menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' ${permission} {
EOF
save_default_entry | grub_add_tab
prepare_grub_to_access_device ${DEVICE} | grub_add_tab
@@ -210,7 +210,7 @@
DEVICE=${DEVICE%@*}
onstr="$(gettext_printf "(on %s)" "${DEVICE}")"
cat << EOF
-menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' {
+menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' ${permission} {
EOF
save_default_entry | sed -e "s/^/\t/"
prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/"
@@ -268,7 +268,7 @@
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
cat << EOF
-menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' {
+menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' ${permission} {
EOF
save_default_entry | grub_add_tab
printf '%s\n' "${prepare_boot_cache}"
@@ -326,7 +326,7 @@
found_other_os=1
onstr="$(gettext_printf "(on %s)" "${DEVICE}")"
cat << EOF
-menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' {
+menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' ${permission} {
EOF
save_default_entry | grub_add_tab
prepare_grub_to_access_device ${DEVICE} | grub_add_tab
@@ -351,7 +351,7 @@
;;
minix)
cat << EOF
-menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" {
+menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${permission} {
EOF
save_default_entry | sed -e "s/^/\t/"
prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/"
--- a/util/grub.d/30_uefi-firmware.in
+++ b/util/grub.d/30_uefi-firmware.in
@@ -39,7 +39,7 @@
onstr="$(gettext_printf "(on %s)" "${DEVICE}")"
cat << EOF
-menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' {
+menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' ${permission} {
fwsetup
}
EOF
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
