Bug#321109: [PATCH] grub-installer password confirmation

To: 321109@bugs.debian.org
Subject: Bug#321109: [PATCH] grub-installer password confirmation
From: James Westby <jw+debian@jameswestby.net>
Date: Thu, 17 Apr 2008 11:16:20 +0100
Message-id: <[🔎] 1208427380.6521.0.camel@flash>
Reply-to: James Westby <jw+debian@jameswestby.net>, 321109@bugs.debian.org

Hi,

Attached is a patch that myself and Colin Watson worked on, based
on the patch from this bug report. It hopefully addresses all concerns
that were raised about the existing patch, and updates it to the 
existing codebase.

Please consider applying it. I would be happy to address any concerns
that you have with the patch.

Thanks,

James

=== modified file 'debian/changelog'
--- debian/changelog	2008-04-14 20:18:23 +0000
+++ debian/changelog	2008-04-15 00:54:11 +0000
@@ -1,8 +1,15 @@
 grub-installer (1.27ubuntu7) UNRELEASED; urgency=low
 
+  [ Colin Watson ]
   * Backport from trunk:
     - Run grub in the chroot for password encryption.
 
+  [ James Westby ]
+  * Confirm the GRUB password after entry (LP: #42019). Note that
+    grub-installer/password-again must now be preseeded in addition to
+    grub-installer/password, and that grub-installer/password-crypted now
+    takes an MD5-crypted password rather than a boolean.
+
  -- Colin Watson <cjwatson@ubuntu.com>  Mon, 14 Apr 2008 21:17:08 +0100
 
 grub-installer (1.27ubuntu6) hardy; urgency=low

=== modified file 'debian/grub-installer.templates'
--- debian/grub-installer.templates	2008-03-11 20:46:22 +0000
+++ debian/grub-installer.templates	2008-04-15 00:54:11 +0000
@@ -81,11 +81,24 @@
  .
  If you do not wish to set a GRUB password, leave this field blank.
 
+Template: grub-installer/password-again
+Type: password
+# :sl2:
+_Description: Re-enter password to verify:
+ Please enter the same GRUB password again to verify that you have typed it
+ correctly.
+
+Template: grub-installer/password-mismatch
+Type: error
+# :sl2:
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.
+
+# Allow preseeding the GRUB password with a crypted password
+# rather than cleartext
 Template: grub-installer/password-crypted
-Type: boolean
-Default: false
+Type: password
 Description: for internal use; can be preseeded
- Has the value of grub-installer/password already been encrypted?
 
 Template: grub-installer/apt-install-failed
 Type: error

=== modified file 'grub-installer'
--- grub-installer	2008-04-14 20:18:23 +0000
+++ grub-installer	2008-04-15 00:54:11 +0000
@@ -768,24 +768,67 @@
 
 # Set up a password if asked
 if [ "$grub_version" = "grub" ] ; then
-	db_input low grub-installer/password || true
-	if ! db_go; then
-		# back up to menu
-		db_progress STOP
-		exit 10
-	fi
-	db_get grub-installer/password
+	# Set up a password if asked or preseeded.
+	password=
+	db_get grub-installer/password-crypted
 	if [ "$RET" ]; then
+		# password-crypted used to be a boolean template
+		if [ "$RET" = false ] || [ "$RET" = true ]; then
+			error "Preseeding of encrypted passwords changed! Check installation guide."
+			exit 1
+		fi
 		password="$RET"
-		# check if the password is crypted
-		db_get grub-installer/password-crypted
-		if [ "$RET" = false ]; then
+	else
+		PW_PRIO=low
+		while :; do
+			password=""
+			db_input $PW_PRIO grub-installer/password || true
+			if ! db_go; then
+				# back up to menu
+				db_progress STOP
+				exit 10
+			fi
+
+			db_get grub-installer/password
+			if [ "$RET" ]; then
+				password="$RET"
+				db_input $PW_PRIO grub-installer/password-again || true
+				if ! db_go; then
+					db_progress STOP
+					exit 10
+				fi
+				
+				db_get grub-installer/password-again
+				if [ "$password" = "$RET" ]; then
+					break
+				else
+					db_input critical grub-installer/password-mismatch || true
+					if ! db_go; then
+						db_progress STOP
+						exit 10
+					fi
+				fi
+			else
+				# The user doesn't want a password
+				break
+			fi
+			# We only get here if passwords don't match
+			PW_PRIO=critical
+			db_set grub-installer/password ""
+			db_set grub-installer/password-again ""
+			db_fset grub-installer/password seen false
+			db_fset grub-installer/password-again seen false
+		done
+		if [ "$password" ]; then
 			password=$(echo -e "md5crypt\n$password" | \
 				   $chroot $ROOT \
 				   grub --batch --device-map=/dev/null 2>&1 | \
 				   grep "^Encrypted:" | cut -d' ' -f2)
 		fi
-		echo "password --md5 $password" >/tmp/menu.lst.password
+	fi
+
+	if [ "$password" ]; then
+		echo "password --md5 $password" >>/tmp/menu.lst.password
 		# Add a line to menu.lst to use the given password
 		# The line is appended after the commented example
 		sed -i '/^# password/r /tmp/menu.lst.password' $ROOT/boot/grub/$menu_file

Reply to:

Follow-Ups:
- Bug#321109: [PATCH] grub-installer password confirmation
  - From: Frans Pop <elendil@planet.nl>

Prev by Date: Bug#476524: debian-installer: DI Manual Bug: the use of killall.sh as described kills itself
Next by Date: Bug#476540: Allow preseeding of netcfg/choose_interface=none
Previous by thread: Bug#476524: debian-installer: DI Manual Bug: the use of killall.sh as described kills itself
Next by thread: Bug#321109: [PATCH] grub-installer password confirmation
Index(es):
- Date
- Thread