Hi,
Attached is a patch that myself and Colin Watson worked on, based
on the patch from this bug report. It hopefully addresses all concerns
that were raised about the existing patch, and updates it to the
existing codebase.
Please consider applying it. I would be happy to address any concerns
that you have with the patch.
Thanks,
James
=== modified file 'debian/changelog'
--- debian/changelog 2008-04-14 20:18:23 +0000
+++ debian/changelog 2008-04-15 00:54:11 +0000
@@ -1,8 +1,15 @@
grub-installer (1.27ubuntu7) UNRELEASED; urgency=low
+ [ Colin Watson ]
* Backport from trunk:
- Run grub in the chroot for password encryption.
+ [ James Westby ]
+ * Confirm the GRUB password after entry (LP: #42019). Note that
+ grub-installer/password-again must now be preseeded in addition to
+ grub-installer/password, and that grub-installer/password-crypted now
+ takes an MD5-crypted password rather than a boolean.
+
-- Colin Watson <[EMAIL PROTECTED]> Mon, 14 Apr 2008 21:17:08 +0100
grub-installer (1.27ubuntu6) hardy; urgency=low
=== modified file 'debian/grub-installer.templates'
--- debian/grub-installer.templates 2008-03-11 20:46:22 +0000
+++ debian/grub-installer.templates 2008-04-15 00:54:11 +0000
@@ -81,11 +81,24 @@
.
If you do not wish to set a GRUB password, leave this field blank.
+Template: grub-installer/password-again
+Type: password
+# :sl2:
+_Description: Re-enter password to verify:
+ Please enter the same GRUB password again to verify that you have typed it
+ correctly.
+
+Template: grub-installer/password-mismatch
+Type: error
+# :sl2:
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.
+
+# Allow preseeding the GRUB password with a crypted password
+# rather than cleartext
Template: grub-installer/password-crypted
-Type: boolean
-Default: false
+Type: password
Description: for internal use; can be preseeded
- Has the value of grub-installer/password already been encrypted?
Template: grub-installer/apt-install-failed
Type: error
=== modified file 'grub-installer'
--- grub-installer 2008-04-14 20:18:23 +0000
+++ grub-installer 2008-04-15 00:54:11 +0000
@@ -768,24 +768,67 @@
# Set up a password if asked
if [ "$grub_version" = "grub" ] ; then
- db_input low grub-installer/password || true
- if ! db_go; then
- # back up to menu
- db_progress STOP
- exit 10
- fi
- db_get grub-installer/password
+ # Set up a password if asked or preseeded.
+ password=
+ db_get grub-installer/password-crypted
if [ "$RET" ]; then
+ # password-crypted used to be a boolean template
+ if [ "$RET" = false ] || [ "$RET" = true ]; then
+ error "Preseeding of encrypted passwords changed! Check installation guide."
+ exit 1
+ fi
password="$RET"
- # check if the password is crypted
- db_get grub-installer/password-crypted
- if [ "$RET" = false ]; then
+ else
+ PW_PRIO=low
+ while :; do
+ password=""
+ db_input $PW_PRIO grub-installer/password || true
+ if ! db_go; then
+ # back up to menu
+ db_progress STOP
+ exit 10
+ fi
+
+ db_get grub-installer/password
+ if [ "$RET" ]; then
+ password="$RET"
+ db_input $PW_PRIO grub-installer/password-again || true
+ if ! db_go; then
+ db_progress STOP
+ exit 10
+ fi
+
+ db_get grub-installer/password-again
+ if [ "$password" = "$RET" ]; then
+ break
+ else
+ db_input critical grub-installer/password-mismatch || true
+ if ! db_go; then
+ db_progress STOP
+ exit 10
+ fi
+ fi
+ else
+ # The user doesn't want a password
+ break
+ fi
+ # We only get here if passwords don't match
+ PW_PRIO=critical
+ db_set grub-installer/password ""
+ db_set grub-installer/password-again ""
+ db_fset grub-installer/password seen false
+ db_fset grub-installer/password-again seen false
+ done
+ if [ "$password" ]; then
password=$(echo -e "md5crypt\n$password" | \
$chroot $ROOT \
grub --batch --device-map=/dev/null 2>&1 | \
grep "^Encrypted:" | cut -d' ' -f2)
fi
- echo "password --md5 $password" >/tmp/menu.lst.password
+ fi
+
+ if [ "$password" ]; then
+ echo "password --md5 $password" >>/tmp/menu.lst.password
# Add a line to menu.lst to use the given password
# The line is appended after the commented example
sed -i '/^# password/r /tmp/menu.lst.password' $ROOT/boot/grub/$menu_file
