61f585cdc1
for install guest on tapdisk very very slow. - bnc#542525 - VUL-1: xen pygrub vulnerability 20099-pygrub-security.patch 20107-pygrub-security.patch 20146-pygrub-security.patch 20174-pygrub-security.patch 20201-pygrub-security.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=22
143 lines
5.9 KiB
Diff
143 lines
5.9 KiB
Diff
# HG changeset patch
|
|
# User Keir Fraser <keir.fraser@citrix.com>
|
|
# Date 1250781436 -3600
|
|
# Node ID 8f783adc0ee34808cdd296cccd92f99018f76017
|
|
# Parent 4b30cfb855299922244938fde4f88f4e5bb5df34
|
|
pygrub: Add password support
|
|
|
|
It basically checks for the presence of password line in grub.conf
|
|
of the guest image and if this line is present, it supports both clear
|
|
text and md5 versions of the password. Editing the grub entries and
|
|
command-line are disabled when some password is set in domain's
|
|
grub.conf file but the password was not entered yet. Also, new option
|
|
to press 'p' in interactive pygrub has been added to allow entering
|
|
the grub password. It's been tested on x86_64 with PV guests and was
|
|
working fine. Also, the countdown has been stopped after key was
|
|
pressed, ie. the user is probably editing the boot configuration.
|
|
|
|
Signed-off-by: Michal Novotny <minovotn@redhat.com>
|
|
|
|
Index: xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
|
|
===================================================================
|
|
--- xen-3.4.1-testing.orig/tools/pygrub/src/GrubConf.py
|
|
+++ xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
|
|
@@ -157,6 +157,7 @@ class GrubConfigFile(object):
|
|
self.images = []
|
|
self.timeout = -1
|
|
self._default = 0
|
|
+ self.passwordAccess = True
|
|
|
|
if fn is not None:
|
|
self.parse()
|
|
@@ -196,6 +197,7 @@ class GrubConfigFile(object):
|
|
if self.commands.has_key(com):
|
|
if self.commands[com] is not None:
|
|
setattr(self, self.commands[com], arg.strip())
|
|
+ #print "%s = %s => %s" % (com, self.commands[com], arg.strip() )
|
|
else:
|
|
logging.info("Ignored directive %s" %(com,))
|
|
else:
|
|
@@ -204,6 +206,37 @@ class GrubConfigFile(object):
|
|
if len(img) > 0:
|
|
self.add_image(GrubImage(img))
|
|
|
|
+ if self.hasPassword():
|
|
+ self.setPasswordAccess(False)
|
|
+
|
|
+ def hasPasswordAccess(self):
|
|
+ return self.passwordAccess
|
|
+
|
|
+ def setPasswordAccess(self, val):
|
|
+ self.passwordAccess = val
|
|
+
|
|
+ def hasPassword(self):
|
|
+ try:
|
|
+ getattr(self, self.commands['password'])
|
|
+ return True
|
|
+ except KeyError, e:
|
|
+ return False
|
|
+
|
|
+ def checkPassword(self, password):
|
|
+ try:
|
|
+ pwd = getattr(self, self.commands['password']).split()
|
|
+ if pwd[0] == '--md5':
|
|
+ import crypt
|
|
+ if crypt.crypt(password, pwd[1]) == pwd[1]:
|
|
+ return True
|
|
+
|
|
+ if pwd[0] == password:
|
|
+ return True
|
|
+
|
|
+ return False
|
|
+ except:
|
|
+ return True
|
|
+
|
|
def set(self, line):
|
|
(com, arg) = grub_exact_split(line, 2)
|
|
if self.commands.has_key(com):
|
|
Index: xen-3.4.1-testing/tools/pygrub/src/pygrub
|
|
===================================================================
|
|
--- xen-3.4.1-testing.orig/tools/pygrub/src/pygrub
|
|
+++ xen-3.4.1-testing/tools/pygrub/src/pygrub
|
|
@@ -418,7 +418,14 @@ class Grub:
|
|
self.text_win.addstr(0, 0, "Use the U and D keys to select which entry is highlighted.")
|
|
self.text_win.addstr(1, 0, "Press enter to boot the selected OS. 'e' to edit the")
|
|
self.text_win.addstr(2, 0, "commands before booting, 'a' to modify the kernel arguments ")
|
|
- self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")
|
|
+
|
|
+ # if grub has password defined we allow option to enter password
|
|
+ if not self.cf.hasPassword():
|
|
+ self.text_win.addstr(3, 0, "before booting, or 'c' for a command line.")
|
|
+ else:
|
|
+ self.text_win.addstr(3, 0, "before booting, or 'c' for a command line. You can also")
|
|
+ self.text_win.addstr(4, 0, "press 'p' to enter password for modifications...")
|
|
+
|
|
self.text_win.addch(0, 8, curses.ACS_UARROW)
|
|
self.text_win.addch(0, 14, curses.ACS_DARROW)
|
|
(y, x) = self.text_win.getmaxyx()
|
|
@@ -457,9 +464,19 @@ class Grub:
|
|
|
|
# handle keypresses
|
|
if c == ord('c'):
|
|
+ # we disallow access without password specified
|
|
+ if not self.cf.hasPasswordAccess():
|
|
+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")
|
|
+ break
|
|
+
|
|
self.command_line_mode()
|
|
break
|
|
elif c == ord('a'):
|
|
+ # we disallow access without password specified
|
|
+ if not self.cf.hasPasswordAccess():
|
|
+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")
|
|
+ break
|
|
+
|
|
# find the kernel line, edit it and then boot
|
|
img = self.cf.images[self.selected_image]
|
|
for line in img.lines:
|
|
@@ -471,9 +488,24 @@ class Grub:
|
|
break
|
|
break
|
|
elif c == ord('e'):
|
|
+ # we disallow access without password specified
|
|
+ if not self.cf.hasPasswordAccess():
|
|
+ self.text_win.addstr(6, 8, "You have to enter GRUB password first")
|
|
+ break
|
|
+
|
|
img = self.cf.images[self.selected_image]
|
|
self.edit_entry(img)
|
|
break
|
|
+ elif c == ord('p') and self.cf.hasPassword():
|
|
+ self.text_win.addstr(6, 8, "Enter password: ")
|
|
+ pwd = self.text_win.getstr(6, 8)
|
|
+ if not self.cf.checkPassword(pwd):
|
|
+ self.text_win.addstr(6, 8, "Incorrect password!")
|
|
+ self.cf.setPasswordAccess( False )
|
|
+ else:
|
|
+ self.text_win.addstr(6, 8, "Access granted ")
|
|
+ self.cf.setPasswordAccess( True )
|
|
+ break
|
|
elif c in (curses.KEY_ENTER, ord('\n'), ord('\r')):
|
|
self.isdone = True
|
|
break
|