>From 058e95249c7ab92e8fecfc2f3938600abd58eecd Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sat, 26 Dec 2015 21:53:30 +0100 Subject: [PATCH] Added GRUB_*_MENUENTRY_OPTIONS variables to configure menu entries. Useful for making each menuentry '--unrestricted' when using GRUBs password protection feature. Ansible role which makes use of this patch: https://github.com/debops/ansible-grub/pull/7 My indented use case is to allow to add options like '--unrestricted' or '--users "Jane"' to each menuentry generated by grub-mkconfig without altering the scripts itself. Although the scripts end up under /etc in Debian, I did not think that changing these files (and `dpkg-divert`ing them) would be such a good idea. I have been searching for how to configure password protection and I did only find "hacks" which either suggest to edit the grub config under /boot/grub (which is totally outdated because the configurations is automatically generated in Debian) or change the "CLASS" variable in the grub.d scripts [12]0_.* scripts. So I did go with the later option. Patching these scripts with configuration management was not ideal so I decided to propose this patch upstream. With this patch in place it will be possible to configure this in /etc/default/grub without touching the scripts. This patch addresses the issue which is mentioned in this article (At least when the assumption is true that all menuentry of the same distribution should get the same restrictions/options): https://help.ubuntu.com/community/Grub2/Passwords#Protecting_Menuentries "There is currently no automated method of adding users or designating menu items to be protected. The user must manually edit the GRUB 2 scripts." --- util/grub-mkconfig.in | 13 ++++++++++++- util/grub.d/10_hurd.in | 4 ++-- util/grub.d/10_illumos.in | 2 +- util/grub.d/10_kfreebsd.in | 4 ++-- util/grub.d/10_linux.in | 4 ++-- util/grub.d/10_netbsd.in | 4 ++-- util/grub.d/10_windows.in | 2 +- util/grub.d/10_xnu.in | 2 +- util/grub.d/20_linux_xen.in | 4 ++-- util/grub.d/30_os-prober.in | 14 +++++++------- 10 files changed, 32 insertions(+), 21 deletions(-) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index 3183744..d7fdd78 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -227,7 +227,18 @@ export GRUB_DEFAULT \ GRUB_ENABLE_CRYPTODISK \ GRUB_BADRAM \ GRUB_OS_PROBER_SKIP_LIST \ - GRUB_DISABLE_SUBMENU + GRUB_DISABLE_SUBMENU \ + GRUB_HURD_MENUENTRY_OPTIONS \ + GRUB_ILLUMOS_MENUENTRY_OPTIONS \ + GRUB_KFREEBSD_MENUENTRY_OPTIONS \ + GRUB_LINUX_MENUENTRY_OPTIONS \ + GRUB_NETBSD_MENUENTRY_OPTIONS \ + GRUB_WINDOWS_MENUENTRY_OPTIONS \ + GRUB_XNU_MENUENTRY_OPTIONS \ + GRUB_XEN_MENUENTRY_OPTIONS \ + GRUB_MINIX_MENUENTRY_OPTIONS \ + GRUB_OSX_MENUENTRY_OPTIONS \ + GRUB_EFI_MENUENTRY_OPTIONS if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_hurd.in b/util/grub.d/10_hurd.in index 59a9a48..c07fbfd 100644 --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -100,11 +100,11 @@ hurd_entry () { grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")" fi sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$title" | grub_quote)' ${GRUB_HURD_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF else sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_HURD_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF fi diff --git a/util/grub.d/10_illumos.in b/util/grub.d/10_illumos.in index a133e1b..76a5043 100644 --- a/util/grub.d/10_illumos.in +++ b/util/grub.d/10_illumos.in @@ -34,7 +34,7 @@ case "${GRUB_DISTRIBUTOR}" in ;; esac -echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" +echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_ILLUMOS_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" save_default_entry | grub_add_tab prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab message="$(gettext_printf "Loading kernel of Illumos ...")" diff --git a/util/grub.d/10_kfreebsd.in b/util/grub.d/10_kfreebsd.in index 9d8e8fd..79005ed 100644 --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -86,9 +86,9 @@ kfreebsd_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_KFREEBSD_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_KFREEBSD_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in index 859b608..3fa8fb0 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -90,9 +90,9 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_LINUX_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${GRUB_LINUX_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab diff --git a/util/grub.d/10_netbsd.in b/util/grub.d/10_netbsd.in index 874f599..ed93123 100644 --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -113,9 +113,9 @@ netbsd_entry () grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_NETBSD_MENUENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_NETBSD_MENUENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_windows.in b/util/grub.d/10_windows.in index 554c561..d766bd3 100644 --- a/util/grub.d/10_windows.in +++ b/util/grub.d/10_windows.in @@ -84,7 +84,7 @@ for drv in $drives ; do gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2 cat << EOF -menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_WINDOWS_MENUENTRY_OPTIONS} \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { EOF save_default_entry | sed -e 's,^,$grub_tab,' diff --git a/util/grub.d/10_xnu.in b/util/grub.d/10_xnu.in index 51ee2f4..c122933 100644 --- a/util/grub.d/10_xnu.in +++ b/util/grub.d/10_xnu.in @@ -37,7 +37,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")" cat << EOF -menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { +menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' ${GRUB_XNU_MENUENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in index f532fb9..7b78ff1 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -98,10 +98,10 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_XEN_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else title="$(gettext_printf "%s, with Xen hypervisor" "${os}")" - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_XEN_MENUENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in index 5fc4f0c..e65e2f1 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -52,7 +52,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' ${GRUB_OSX_MENUENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -142,7 +142,7 @@ for OS in ${OSPROBED} ; do onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_WINDOWS_MENUENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -174,7 +174,7 @@ EOF address@hidden onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_EFI_MENUENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" @@ -230,7 +230,7 @@ EOF if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then cat << EOF -menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { +menuentry '$(echo "$OS $onstr" | grub_quote)' ${GRUB_LINUX_MENUENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { EOF save_default_entry | grub_add_tab printf '%s\n' "${prepare_boot_cache}" @@ -250,7 +250,7 @@ EOF fi title="${LLABEL} $onstr" cat << EOF - menuentry '$(echo "$title" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { + menuentry '$(echo "$title" | grub_quote)' ${GRUB_LINUX_MENUENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { EOF save_default_entry | sed -e "s/^/$grub_tab$grub_tab/" printf '%s\n' "${prepare_boot_cache}" | grub_add_tab @@ -287,7 +287,7 @@ EOF hurd) onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_HURD_MENUENTRY_OPTIONS} --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -312,7 +312,7 @@ EOF ;; minix) cat << EOF -menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" { +menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${GRUB_MINIX_MENUENTRY_OPTIONS} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" -- 2.1.4