--- a/util/grub.d/00_header.in +++ b/util/grub.d/00_header.in @@ -388,3 +388,14 @@ if [ "x${GRUB_BADRAM}" != "x" ] ; then echo "badram ${GRUB_BADRAM}" fi + +# +# Setting up lhm password protection with password read from debconf param. +# +if [ "$secure_recovery_shell" = "true" ]; then + grubsu_GRUB_PASSWORD=$(debconf-show grub-pc | grep grub-pc/grub_password | awk '{ print $NF }') + echo "set superusers='grubsu'" + echo "password_pbkdf2 grubsu $grubsu_GRUB_PASSWORD" +fi + + --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -114,9 +114,12 @@ if [ x$type != xsimple ] ; then case $type in recovery) - title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" + ;; *) - title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; + title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" + ;; esac if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" @@ -124,9 +127,9 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ "$quick_boot" = 1 ]; then echo " recordfail" | sed "s/^/$submenu_indentation/" --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -393,3 +393,12 @@ sed -e "s/^/$grub_tab/" } +# +# Get debconf parameter without +# +secure_recovery_shell=$(debconf-show grub-pc | grep grub-pc/secure_recoveryshell | awk '{ print $NF }') +[ -n "$secure_recovery_shell" ] || secure_recovery_shell="true" +[ "$secure_recovery_shell" = "false" ] || permission="--unrestricted" + + + --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -89,6 +89,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with Hurd %s (%s)" "${OS}" "${kernel_base}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" oldtitle="$OS using $kernel_base ($GRUB_RECOVERY_TITLE)" else title="$(gettext_printf "%s, with Hurd %s" "${OS}" "${kernel_base}")" @@ -100,11 +101,11 @@ grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")" fi sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} { EOF else sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} { EOF fi --- a/util/grub.d/10_illumos.in +++ b/util/grub.d/10_illumos.in @@ -34,7 +34,7 @@ ;; esac -echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" +echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' ${permission} {" save_default_entry | grub_add_tab prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab message="$(gettext_printf "Loading kernel of Illumos ...")" --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -77,6 +77,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with kFreeBSD %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with kFreeBSD %s" "${os}" "${version}")" fi @@ -86,9 +87,9 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -103,6 +103,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with kernel %s (via %s, %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with kernel %s (via %s)" "${OS}" "$(echo ${kernel} | sed -e 's,^.*/,,')" "${loader}")" fi @@ -113,9 +114,9 @@ grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" --- a/util/grub.d/10_windows.in +++ b/util/grub.d/10_windows.in @@ -84,7 +84,7 @@ gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2 cat << EOF -menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { +menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' ${permission} { EOF save_default_entry | sed -e 's,^,$grub_tab,' --- a/util/grub.d/10_xnu.in +++ b/util/grub.d/10_xnu.in @@ -37,7 +37,7 @@ # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")" cat << EOF -menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { +menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -94,6 +94,7 @@ if [ x$type != xsimple ] ; then if [ x$type = xrecovery ] ; then title="$(gettext_printf "%s, with Xen %s and Linux %s (%s)" "${os}" "${xen_version}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" + [ "$secure_recovery_shell" = "false" ] || permission="--users grubsu" else title="$(gettext_printf "%s, with Xen %s and Linux %s" "${os}" "${xen_version}" "${version}")" fi @@ -103,10 +104,10 @@ title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" else title="$(gettext_printf "%s, with Xen hypervisor" "${os}")" - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' ${permission} {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -67,7 +67,7 @@ # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -177,7 +177,7 @@ found_other_os=1 onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -210,7 +210,7 @@ address@hidden onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" @@ -268,7 +268,7 @@ if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then cat << EOF -menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { +menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' ${permission} { EOF save_default_entry | grub_add_tab printf '%s\n' "${prepare_boot_cache}" @@ -326,7 +326,7 @@ found_other_os=1 onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' ${permission} { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -351,7 +351,7 @@ ;; minix) cat << EOF -menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" { +menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${permission} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" --- a/util/grub.d/30_uefi-firmware.in +++ b/util/grub.d/30_uefi-firmware.in @@ -39,7 +39,7 @@ onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' { +menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' ${permission} { fwsetup } EOF