#!/bin/sh -e
if [ -d /sys/firmware/efi/efivars/ ]; then
grubdir=`echo "/boot/efi/EFI/centos/" | sed 's,//*,/,g'`
else
grubdir=`echo "/boot/grub2" | sed 's,//*,/,g'`
fi
PACKAGE_VERSION="2.02~beta2"
PACKAGE_NAME="GRUB"
self=`basename $0`
bindir="/usr/bin"
grub_mkpasswd="${bindir}/grub2-mkpasswd-pbkdf2"
# Usage: usage
# Print the usage.
usage () {
cat <<EOF
Usage: $0 [OPTION]
$0 prompts the user to set a password on the grub bootloader. The password
is written to a file named user.cfg which lives in the GRUB directory
located by default at ${grubdir}.
-h, --help print this message and exit
-v, --version print the version information and exit
-o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
Report bugs at https://bugzilla.redhat.com.
EOF
}
argument () {
opt=$1
shift
if test $# -eq 0; then
gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
exit 1
fi
echo $1
}
# Ensure that it's the root user running this script
if [ "${EUID}" -ne 0 ]; then
echo "The grub bootloader password may only be set by root."
usage
exit 2
fi
# Check the arguments.
while test $# -gt 0
do
option=$1
shift
case "$option" in
-h | --help)
usage
exit 0 ;;
-v | --version)
echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
exit 0 ;;
-o | --output)
OUTPUT_PATH=`argument $option "$@"`; shift ;;
--output=*)
OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;;
-o=*)
OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;;
esac
done
# set user input or default path for user.cfg file
if [ -z "${OUTPUT_PATH}" ]; then
OUTPUT_PATH="${grubdir}"
fi
if [ ! -d "${OUTPUT_PATH}" ]; then
echo "${OUTPUT_PATH} does not exist."
usage
exit 2;
fi
ttyopt=$(stty -g)
fixtty() {
stty ${ttyopt}
}
trap fixtty EXIT
stty -echo
# prompt & confirm new grub2 root user password
echo -n "Enter password: "
read PASSWORD
echo
echo -n "Confirm password: "
read PASSWORD_CONFIRM
echo
stty ${ttyopt}
getpass() {
local P0
local P1
P0="$1" && shift
P1="$1" && shift
( echo ${P0} ; echo ${P1} ) | \
LC_ALL=C ${grub_mkpasswd} | \
grep -v '[eE]nter password:' | \
sed -e "s/PBKDF2 hash of your password is //"
}
MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")"
if [ -z "${MYPASS}" ]; then
echo "${self}: error: empty password" 1>&2
exit 1
fi
# on the ESP, these will fail to set the permissions, but it's okay because
# the directory is protected.
install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg"
if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then
echo "WARNING: The current configuration lacks password support!"
echo "Update your configuration with grub2-mkconfig to support this feature."
fi