aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDubiousjim <dubiousjim@gmail.com>2013-06-29 16:41:28 -0400
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-30 11:20:34 +0000
commit083a16ab99577619894895087aec94cb039f3ceb (patch)
treeae705f3052ae8a1ec2b18ca94df175a49cd1e2cf
parent7558f26d28e1bcc6a62c42405c65ab14cc632ef3 (diff)
downloadaports-083a16ab99577619894895087aec94cb039f3ceb.tar.bz2
aports-083a16ab99577619894895087aec94cb039f3ceb.tar.xz
main/syslinux: hooks for bootloader password
We allow a password to be set in /etc/update-extlinux.conf. Instructions for generating this are in /etc/update-extlinux.conf. For reference, here is another (equivalent) way to generate the MD5 password: openssl passwd -1 -salt yy pass If one sets a password, one will presumably want to make /etc/update-extlinux.conf world-unreadable. We don't do that for you; however we do make sure when a password is present to make the /boot/extlinux.conf files we generate be world-unreadable. Of the auto-generated entries, only HDT (if this is generated) is now configured to respect the password; however, you can include "MENU PASSWD" in any entries you put in /etc/update-extlinux.d/. For example, I configure my BIOS to only boot from the internal drive, but I have an entry in /etc/update-extlinux.d that permits chain-booting from a USB key, and I have this entry configured to also require the password. (The BIOS is also passworded, so that these settings can't be changed willy-nilly.) Conflicts: main/syslinux/update-extlinux.conf
-rwxr-xr-xmain/syslinux/update-extlinux10
-rw-r--r--main/syslinux/update-extlinux.conf9
2 files changed, 19 insertions, 0 deletions
diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux
index 0ba4bbf21d..0499f5f91a 100755
--- a/main/syslinux/update-extlinux
+++ b/main/syslinux/update-extlinux
@@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do
lst=$(($lst + 1))
done
+if [ -n "$password" ]; then
+ echo "NOESCAPE 1" >> $conf.new
+ echo "MENU MASTER PASSWD $password" >> $conf.new
+ echo "" >> $conf.new
+ chmod o-r $conf.new
+fi
+
everbose "$lst entries found."
for entry in /etc/update-extlinux.d/*; do
@@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then
everbose "Found Hardware Detection Tool: /boot/hdt.c32"
echo "LABEL hdt" >> $conf.new
echo " MENU LABEL Hardware info" >> $conf.new
+ if [ -n "$password" ]; then
+ echo " MENU PASSWD" >> $conf.new
+ fi
echo " COM32 hdt.c32" >> $conf.new
if [ -f "/boot/memtest" ]; then
everbose "Found memtest86+: /boot/memtest"
diff --git a/main/syslinux/update-extlinux.conf b/main/syslinux/update-extlinux.conf
index 6c83349d4e..947dfde2a4 100644
--- a/main/syslinux/update-extlinux.conf
+++ b/main/syslinux/update-extlinux.conf
@@ -49,3 +49,12 @@ xen_opts=dom0_mem=256M
# if you download and install /boot/memtest, then if HDT is present it will use it, else a separate
# menu entry will be auto-generated for memtest
+
+# optional passwd
+# you can generate a MD5 password using: mkpasswd --salt=yy --method=md5
+# you can generate a SHA1 password using: printf '$4$%s$%s$\n' xxxxxx $(printf xxxxxxpass | openssl sha1 -binary | base64 | sed 's/=$//')
+# where yy are two "salt" characters from the set [./a-zA-Z0-9], and xxxxxx can be a longer "salt" from the same set
+# if you assign a password, you should make this file world-unreadable
+# if a password is assigned, the menu entries can't be edited at boot time, and HDT if present is password-protected
+# you can also include "MENU PASSWD" in any custom entries you have in /etc/update-extlinux.d/
+password=''