diff options
| author | Dubiousjim <dubiousjim@gmail.com> | 2013-06-29 16:41:28 -0400 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-30 11:20:34 +0000 |
| commit | 083a16ab99577619894895087aec94cb039f3ceb (patch) | |
| tree | ae705f3052ae8a1ec2b18ca94df175a49cd1e2cf | |
| parent | 7558f26d28e1bcc6a62c42405c65ab14cc632ef3 (diff) | |
| download | aports-083a16ab99577619894895087aec94cb039f3ceb.tar.bz2 aports-083a16ab99577619894895087aec94cb039f3ceb.tar.xz | |
main/syslinux: hooks for bootloader password
We allow a password to be set in /etc/update-extlinux.conf. Instructions for
generating this are in /etc/update-extlinux.conf. For reference, here is another
(equivalent) way to generate the MD5 password: openssl passwd -1 -salt yy pass
If one sets a password, one will presumably want to make
/etc/update-extlinux.conf world-unreadable. We don't do that for you; however
we do make sure when a password is present to make the /boot/extlinux.conf
files we generate be world-unreadable.
Of the auto-generated entries, only HDT (if this is generated) is now
configured to respect the password; however, you can include "MENU PASSWD" in
any entries you put in /etc/update-extlinux.d/.
For example, I configure my BIOS to only boot from the internal drive, but I
have an entry in /etc/update-extlinux.d that permits chain-booting from a USB
key, and I have this entry configured to also require the password. (The BIOS
is also passworded, so that these settings can't be changed willy-nilly.)
Conflicts:
main/syslinux/update-extlinux.conf
| -rwxr-xr-x | main/syslinux/update-extlinux | 10 | ||||
| -rw-r--r-- | main/syslinux/update-extlinux.conf | 9 |
2 files changed, 19 insertions, 0 deletions
diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux index 0ba4bbf21..0499f5f91 100755 --- a/main/syslinux/update-extlinux +++ b/main/syslinux/update-extlinux @@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do lst=$(($lst + 1)) done +if [ -n "$password" ]; then + echo "NOESCAPE 1" >> $conf.new + echo "MENU MASTER PASSWD $password" >> $conf.new + echo "" >> $conf.new + chmod o-r $conf.new +fi + everbose "$lst entries found." for entry in /etc/update-extlinux.d/*; do @@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then everbose "Found Hardware Detection Tool: /boot/hdt.c32" echo "LABEL hdt" >> $conf.new echo " MENU LABEL Hardware info" >> $conf.new + if [ -n "$password" ]; then + echo " MENU PASSWD" >> $conf.new + fi echo " COM32 hdt.c32" >> $conf.new if [ -f "/boot/memtest" ]; then everbose "Found memtest86+: /boot/memtest" diff --git a/main/syslinux/update-extlinux.conf b/main/syslinux/update-extlinux.conf index 6c83349d4..947dfde2a 100644 --- a/main/syslinux/update-extlinux.conf +++ b/main/syslinux/update-extlinux.conf @@ -49,3 +49,12 @@ xen_opts=dom0_mem=256M # if you download and install /boot/memtest, then if HDT is present it will use it, else a separate # menu entry will be auto-generated for memtest + +# optional passwd +# you can generate a MD5 password using: mkpasswd --salt=yy --method=md5 +# you can generate a SHA1 password using: printf '$4$%s$%s$\n' xxxxxx $(printf xxxxxxpass | openssl sha1 -binary | base64 | sed 's/=$//') +# where yy are two "salt" characters from the set [./a-zA-Z0-9], and xxxxxx can be a longer "salt" from the same set +# if you assign a password, you should make this file world-unreadable +# if a password is assigned, the menu entries can't be edited at boot time, and HDT if present is password-protected +# you can also include "MENU PASSWD" in any custom entries you have in /etc/update-extlinux.d/ +password='' |