Am Sonntag, den 06.09.2009, 14:57 +0100 schrieb Colin Watson:
> On Sun, Sep 06, 2009 at 03:43:46PM +0200, Felix Zielcke wrote:
> > Am Sonntag, den 06.09.2009, 14:38 +0100 schrieb Colin Watson:
> > > I think it'd be more sensible to do this in grub-mkconfig itself - it
> > > doesn't really fit well into the /etc/grub.d/ hook system, which is
> > > really just for generating output.
> >
> > You mean we check with grep if there's a password line in the generated
> > config and then just use chmod 400 instead of 444?
> > Sounds good.
>
> Yeah, that kind of thing.
>
Ok here's now a patch.
Robert do you think this can go into 1.97?
--
Felix Zielcke
Proud Debian Maintainer
2009-09-06 Felix Zielcke <fziel...@z-51.de>
* util/grub-mkconfig.in: Make generated config file mode 400 if
it contains a password and print a warning if it fails.
Index: util/grub-mkconfig.in
===================================================================
--- util/grub-mkconfig.in (revision 2574)
+++ util/grub-mkconfig.in (working copy)
@@ -260,6 +260,11 @@ for i in ${grub_mkconfig_dir}/* ; do
esac
done
+if [ "x${grub_cfg}" != "x" ] && grep -q "^password " ${grub_cfg}.new ; then
+ chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
+ This means your password is readable by everyone"
+fi
+
if test "x${grub_cfg}" != "x" ; then
# none of the children aborted with error, install the new grub.cfg
mv -f ${grub_cfg}.new ${grub_cfg}
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/grub-devel
