X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from dal-a2.localdomain (unknown [74.117.189.115])
	by mail.alpinelinux.org (Postfix) with ESMTP id E0B63DC0091
	for <alpine-devel@lists.alpinelinux.org>; Fri, 28 Jun 2013 14:54:59 +0000 (UTC)
Received: from ncopa-desktop.alpinelinux.org (3.203.202.84.customer.cdi.no [84.202.203.3])
	(using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: ncopa@tanael.org)
	by dal-a2.localdomain (Postfix) with ESMTPSA id 276D4BC2AB0;
	Fri, 28 Jun 2013 14:54:58 +0000 (UTC)
Date: Fri, 28 Jun 2013 16:54:53 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Dubiousjim <dubiousjim@gmail.com>
Cc: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] [PATCH 8/8] main/syslinux: hooks for bootloader
 password
Message-ID: <20130628165453.3e8fd072@ncopa-desktop.alpinelinux.org>
In-Reply-To: <8e59b6613a04739d2800a1bf8a317ff73523d096.1372318132.git.dubiousjim@gmail.com>
References: <cover.1372318132.git.dubiousjim@gmail.com>
	<8e59b6613a04739d2800a1bf8a317ff73523d096.1372318132.git.dubiousjim@gmail.com>
X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.17; x86_64-unknown-linux-gnu)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 27 Jun 2013 03:32:21 -0400
Dubiousjim <dubiousjim@gmail.com> wrote:

> We allow a password to be set in /etc/update-extlinux.conf. This can be
> generated using a script we install that has a runtime dependency on perl and
> perl-digest-sha1.  These only need to be in place when the password is first
> generated.
> 
> If one sets a password, one will presumably want to make
> /etc/update-extlinux.conf world-unreadable. We don't do that for you; however
> we do make sure when a password is present to make the /boot/extlinux.conf
> files we generate be world-unreadable.
> 
> Of the auto-generated entries, only HDT (if this is generated) is now
> configured to respect the password; however, you can include "MENU PASSWD" in
> any entries you put in /etc/update-extlinux.d/.
> 
> For example, I configure my BIOS to only boot from the internal drive, but I
> have an entry in /etc/update-extlinux.d that permits chain-booting from a USB
> key, and I have this entry configured to also require the password. (The BIOS
> is also passworded, so that these settings can't be changed willy-nilly.)
> ---
>  main/syslinux/APKBUILD             |  1 +
>  main/syslinux/update-extlinux      | 10 ++++++++++
>  main/syslinux/update-extlinux.conf |  6 ++++++
>  3 files changed, 17 insertions(+)
> 
> diff --git a/main/syslinux/APKBUILD b/main/syslinux/APKBUILD
> index 79d7e6c..a6c0f54 100644
> --- a/main/syslinux/APKBUILD
> +++ b/main/syslinux/APKBUILD
> @@ -39,6 +39,7 @@ build() {
>  package() {
>  	cd "$_builddir"
>  	make INSTALLROOT="$pkgdir" MANDIR=/usr/share/man local-install
> +	install -D -m755 utils/sha1pass "$pkgdir"/usr/sbin/sha1pass || return 1

I had a look at this script but i don't like it.
1) IMHO its useless use of perl. A tiny C app using crypt(3) would do
the same job with less lines and without perl.
2) it requires that password is specified on command line. I think it
should at least optionally be able to read it from stdin.

Looks like it supports sha256/sha512 passwords. Maybe we could use
cryptpw instead?

Could you please test if the cryptpw generated passwd works? If so,
then we don't install sha1pass which does things bad.
  
>  	mkdir -p "$pkgdir"/etc/update-extlinux.d
>  	cp "$srcdir"/update-extlinux.conf "$pkgdir"/etc/
> diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux
> index a8b0474..1bc7b3f 100755
> --- a/main/syslinux/update-extlinux
> +++ b/main/syslinux/update-extlinux
> @@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do
>  	lst=$(($lst + 1))
>  done
>  
> +if [ -n "$password" ]; then
> +	echo "NOESCAPE 1" >> $conf.new
> +	echo "MENU MASTER PASSWD $password" >> $conf.new
> +	echo "" >> $conf.new
> +	chmod o-r $conf.new
> +fi
> +
>  everbose "$lst entries found."
>  
>  for entry in /etc/update-extlinux.d/*; do
> @@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then
>  	everbose "Found Hardware Detection Tool: /boot/hdt.c32"
>  	echo "LABEL hdt" >> $conf.new
>  	echo "  MENU LABEL Hardware info" >> $conf.new
> +	if [ -n "$password" ]; then
> +		echo "  MENU PASSWD" >> $conf.new
> +	fi
>  	echo "  COM32 hdt.c32" >> $conf.new
>  	if [ -f "/boot/memtest" ]; then
>  		everbose "Found memtest86+: /boot/memtest"
> diff --git a/main/syslinux/update-extlinux.conf b/main/syslinux/update-extlinux.conf
> index b548d7e..6cabc61 100644
> --- a/main/syslinux/update-extlinux.conf
> +++ b/main/syslinux/update-extlinux.conf
> @@ -45,3 +45,9 @@ xen_opts=dom0_mem=256M
>  
>  # none of /boot/memtest, /boot/hdt.c32, or /boot/reboot.c32 are installed by default
>  # but entries for them will be auto-generated if they're present
> +
> +# optional password
> +# generate using /usr/sbin/sha1pass, which has a runtime dependency on perl and perl-digest-sha1
> +# of the auto-generated entries, only hdt (if present) is password-protected
> +# but you can include "MENU PASSWD" in any entries in /etc/update-extlinux.d/
> +password=''



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---