usr/sbin/grub2-setpassword000075500000005731147207356720011656 0ustar00#!/bin/sh -e if [ -d /sys/firmware/efi/efivars/ ]; then grubdir=`echo "/boot/efi/EFI/centos/" | sed 's,//*,/,g'` else grubdir=`echo "/boot/grub2" | sed 's,//*,/,g'` fi PACKAGE_VERSION="2.02~beta2" PACKAGE_NAME="GRUB" self=`basename $0` bindir="/usr/bin" grub_mkpasswd="${bindir}/grub2-mkpasswd-pbkdf2" # Usage: usage # Print the usage. usage () { cat < put user.cfg in a user-selected directory Report bugs at https://bugzilla.redhat.com. EOF } argument () { opt=$1 shift if test $# -eq 0; then gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2 exit 1 fi echo $1 } # Ensure that it's the root user running this script if [ "${EUID}" -ne 0 ]; then echo "The grub bootloader password may only be set by root." usage exit 2 fi # Check the arguments. while test $# -gt 0 do option=$1 shift case "$option" in -h | --help) usage exit 0 ;; -v | --version) echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}" exit 0 ;; -o | --output) OUTPUT_PATH=`argument $option "$@"`; shift ;; --output=*) OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;; -o=*) OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;; esac done # set user input or default path for user.cfg file if [ -z "${OUTPUT_PATH}" ]; then OUTPUT_PATH="${grubdir}" fi if [ ! -d "${OUTPUT_PATH}" ]; then echo "${OUTPUT_PATH} does not exist." usage exit 2; fi ttyopt=$(stty -g) fixtty() { stty ${ttyopt} } trap fixtty EXIT stty -echo # prompt & confirm new grub2 root user password echo -n "Enter password: " read PASSWORD echo echo -n "Confirm password: " read PASSWORD_CONFIRM echo stty ${ttyopt} getpass() { local P0 local P1 P0="$1" && shift P1="$1" && shift ( echo ${P0} ; echo ${P1} ) | \ LC_ALL=C ${grub_mkpasswd} | \ grep -v '[eE]nter password:' | \ sed -e "s/PBKDF2 hash of your password is //" } MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")" if [ -z "${MYPASS}" ]; then echo "${self}: error: empty password" 1>&2 exit 1 fi # on the ESP, these will fail to set the permissions, but it's okay because # the directory is protected. install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || : chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || : echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg" if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then echo "WARNING: The current configuration lacks password support!" echo "Update your configuration with grub2-mkconfig to support this feature." fi