xen/20099-pygrub-security.patch

# HG changeset patch
# User Keir Fraser <keir.fraser@citrix.com>
# Date 1250781436 -3600
# Node ID 8f783adc0ee34808cdd296cccd92f99018f76017
# Parent  4b30cfb855299922244938fde4f88f4e5bb5df34
pygrub: Add password support

It basically checks for the presence of password line in grub.conf
of the guest image and if this line is present, it supports both clear
text and md5 versions of the password. Editing the grub entries and
command-line are disabled when some password is set in domain's
grub.conf file but the password was not entered yet. Also, new option
to press 'p' in interactive pygrub has been added to allow entering
the grub password. It's been tested on x86_64 with PV guests and was
working fine. Also, the countdown has been stopped after key was
pressed, ie. the user is probably editing the boot configuration.

Signed-off-by: Michal Novotny <minovotn@redhat.com>

Index: xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
===================================================================
--- xen-3.4.1-testing.orig/tools/pygrub/src/GrubConf.py
+++ xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
@@ -157,6 +157,7 @@ class GrubConfigFile(object):
         self.images = []
         self.timeout = -1
         self._default = 0
+        self.passwordAccess = True
 
         if fn is not None:
             self.parse()
@@ -196,6 +197,7 @@ class GrubConfigFile(object):
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
                     setattr(self, self.commands[com], arg.strip())
+                    #print "%s = %s => %s" % (com, self.commands[com], arg.strip() )
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:
@@ -204,6 +206,37 @@ class GrubConfigFile(object):
         if len(img) > 0:
             self.add_image(GrubImage(img))
 
+        if self.hasPassword():
+            self.setPasswordAccess(False)
+
+    def hasPasswordAccess(self):
+        return self.passwordAccess
+
+    def setPasswordAccess(self, val):
+        self.passwordAccess = val
+
+    def hasPassword(self):
+        try:
+            getattr(self, self.commands['password'])
+            return True
+        except KeyError, e:
+            return False
+
+    def checkPassword(self, password):
+        try:
+            pwd = getattr(self, self.commands['password']).split()
+            if pwd[0] == '--md5':
+                import crypt
+                if crypt.crypt(password, pwd[1]) == pwd[1]:
+                    return True
+
+            if pwd[0] == password:
+                return True
+
+            return False
+        except:
+            return True
+
     def set(self, line):
         (com, arg) = grub_exact_split(line, 2)
         if self.commands.has_key(com):
Index: xen-3.4.1-testing/tools/pygrub/src/pygrub
===================================================================
--- xen-3.4.1-testing.orig/tools/pygrub/src/pygrub
+++ xen-3.4.1-testing/tools/pygrub/src/pygrub
@@ -418,7 +418,14 @@ class Grub:
             self.text_win.addstr(0, 0, "Use the U and D keys to select which entry is highlighted.")
             self.text_win.addstr(1, 0, "Press enter to boot the selected OS. 'e' to edit the")
             self.text_win.addstr(2, 0, "commands before booting, 'a' to modify the kernel arguments ")
-            self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")
+
+            # if grub has password defined we allow option to enter password
+            if not self.cf.hasPassword():
+                self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")
+            else:
+                self.text_win.addstr(3, 0, "before booting, or 'c' for a command line. You can also")
+                self.text_win.addstr(4, 0, "press 'p' to enter password for modifications...")
+
             self.text_win.addch(0, 8, curses.ACS_UARROW)
             self.text_win.addch(0, 14, curses.ACS_DARROW)
             (y, x) = self.text_win.getmaxyx()
@@ -457,9 +464,19 @@ class Grub:
 
             # handle keypresses
             if c == ord('c'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB password first")
+                    break
+
                 self.command_line_mode()
                 break
             elif c == ord('a'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB password first")
+                    break
+
                 # find the kernel line, edit it and then boot
                 img = self.cf.images[self.selected_image]
                 for line in img.lines:
@@ -471,9 +488,24 @@ class Grub:
                             break
                 break
             elif c == ord('e'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB password first")
+                    break
+
                 img = self.cf.images[self.selected_image]
                 self.edit_entry(img)
                 break
+            elif c == ord('p') and self.cf.hasPassword():
+                self.text_win.addstr(6, 8, "Enter password: ")
+                pwd = self.text_win.getstr(6, 8)
+                if not self.cf.checkPassword(pwd):
+                    self.text_win.addstr(6, 8, "Incorrect password!")
+                    self.cf.setPasswordAccess( False )
+                else:
+                    self.text_win.addstr(6, 8, "Access granted     ")
+                    self.cf.setPasswordAccess( True )
+                break
             elif c in (curses.KEY_ENTER, ord('\n'), ord('\r')):
                 self.isdone = True
                 break
- Add patch ioemu-bdrv-open-CACHE_WB.patch for install guest on tapdisk very very slow. - bnc#542525 - VUL-1: xen pygrub vulnerability 20099-pygrub-security.patch 20107-pygrub-security.patch 20146-pygrub-security.patch 20174-pygrub-security.patch 20201-pygrub-security.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=22 2009-09-30 18:44:28 +02:00			`# HG changeset patch`
			`# User Keir Fraser <keir.fraser@citrix.com>`
			`# Date 1250781436 -3600`
			`# Node ID 8f783adc0ee34808cdd296cccd92f99018f76017`
			`# Parent 4b30cfb855299922244938fde4f88f4e5bb5df34`
			`pygrub: Add password support`

			`It basically checks for the presence of password line in grub.conf`
			`of the guest image and if this line is present, it supports both clear`
			`text and md5 versions of the password. Editing the grub entries and`
			`command-line are disabled when some password is set in domain's`
			`grub.conf file but the password was not entered yet. Also, new option`
			`to press 'p' in interactive pygrub has been added to allow entering`
			`the grub password. It's been tested on x86_64 with PV guests and was`
			`working fine. Also, the countdown has been stopped after key was`
			`pressed, ie. the user is probably editing the boot configuration.`

			`Signed-off-by: Michal Novotny <minovotn@redhat.com>`

			`Index: xen-3.4.1-testing/tools/pygrub/src/GrubConf.py`
			`===================================================================`
			`--- xen-3.4.1-testing.orig/tools/pygrub/src/GrubConf.py`
			`+++ xen-3.4.1-testing/tools/pygrub/src/GrubConf.py`
			`@@ -157,6 +157,7 @@ class GrubConfigFile(object):`
			`self.images = []`
			`self.timeout = -1`
			`self._default = 0`
			`+ self.passwordAccess = True`

			`if fn is not None:`
			`self.parse()`
			`@@ -196,6 +197,7 @@ class GrubConfigFile(object):`
			`if self.commands.has_key(com):`
			`if self.commands[com] is not None:`
			`setattr(self, self.commands[com], arg.strip())`
			`+ #print "%s = %s => %s" % (com, self.commands[com], arg.strip() )`
			`else:`
			`logging.info("Ignored directive %s" %(com,))`
			`else:`
			`@@ -204,6 +206,37 @@ class GrubConfigFile(object):`
			`if len(img) > 0:`
			`self.add_image(GrubImage(img))`

			`+ if self.hasPassword():`
			`+ self.setPasswordAccess(False)`
			`+`
			`+ def hasPasswordAccess(self):`
			`+ return self.passwordAccess`
			`+`
			`+ def setPasswordAccess(self, val):`
			`+ self.passwordAccess = val`
			`+`
			`+ def hasPassword(self):`
			`+ try:`
			`+ getattr(self, self.commands['password'])`
			`+ return True`
			`+ except KeyError, e:`
			`+ return False`
			`+`
			`+ def checkPassword(self, password):`
			`+ try:`
			`+ pwd = getattr(self, self.commands['password']).split()`
			`+ if pwd[0] == '--md5':`
			`+ import crypt`
			`+ if crypt.crypt(password, pwd[1]) == pwd[1]:`
			`+ return True`
			`+`
			`+ if pwd[0] == password:`
			`+ return True`
			`+`
			`+ return False`
			`+ except:`
			`+ return True`
			`+`
			`def set(self, line):`
			`(com, arg) = grub_exact_split(line, 2)`
			`if self.commands.has_key(com):`
			`Index: xen-3.4.1-testing/tools/pygrub/src/pygrub`
			`===================================================================`
			`--- xen-3.4.1-testing.orig/tools/pygrub/src/pygrub`
			`+++ xen-3.4.1-testing/tools/pygrub/src/pygrub`
			`@@ -418,7 +418,14 @@ class Grub:`
			`self.text_win.addstr(0, 0, "Use the U and D keys to select which entry is highlighted.")`
			`self.text_win.addstr(1, 0, "Press enter to boot the selected OS. 'e' to edit the")`
			`self.text_win.addstr(2, 0, "commands before booting, 'a' to modify the kernel arguments ")`
			`- self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")`
			`+`
			`+ # if grub has password defined we allow option to enter password`
			`+ if not self.cf.hasPassword():`
			`+ self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")`
			`+ else:`
			`+ self.text_win.addstr(3, 0, "before booting, or 'c' for a command line. You can also")`
			`+ self.text_win.addstr(4, 0, "press 'p' to enter password for modifications...")`
			`+`
			`self.text_win.addch(0, 8, curses.ACS_UARROW)`
			`self.text_win.addch(0, 14, curses.ACS_DARROW)`
			`(y, x) = self.text_win.getmaxyx()`
			`@@ -457,9 +464,19 @@ class Grub:`

			`# handle keypresses`
			`if c == ord('c'):`
			`+ # we disallow access without password specified`
			`+ if not self.cf.hasPasswordAccess():`
			`+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")`
			`+ break`
			`+`
			`self.command_line_mode()`
			`break`
			`elif c == ord('a'):`
			`+ # we disallow access without password specified`
			`+ if not self.cf.hasPasswordAccess():`
			`+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")`
			`+ break`
			`+`
			`# find the kernel line, edit it and then boot`
			`img = self.cf.images[self.selected_image]`
			`for line in img.lines:`
			`@@ -471,9 +488,24 @@ class Grub:`
			`break`
			`break`
			`elif c == ord('e'):`
			`+ # we disallow access without password specified`
			`+ if not self.cf.hasPasswordAccess():`
			`+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")`
			`+ break`
			`+`
			`img = self.cf.images[self.selected_image]`
			`self.edit_entry(img)`
			`break`
			`+ elif c == ord('p') and self.cf.hasPassword():`
			`+ self.text_win.addstr(6, 8, "Enter password: ")`
			`+ pwd = self.text_win.getstr(6, 8)`
			`+ if not self.cf.checkPassword(pwd):`
			`+ self.text_win.addstr(6, 8, "Incorrect password!")`
			`+ self.cf.setPasswordAccess( False )`
			`+ else:`
			`+ self.text_win.addstr(6, 8, "Access granted ")`
			`+ self.cf.setPasswordAccess( True )`
			`+ break`
			`elif c in (curses.KEY_ENTER, ord('\n'), ord('\r')):`
			`self.isdone = True`
			`break`