grub: add support for passwords
This patch adds support for user accounts/passwords in GRUB 2. When configured, everything but the default option is password-protected.
This commit is contained in:
parent
48dd117b24
commit
37ec7c488a
2 changed files with 104 additions and 3 deletions
|
@ -55,6 +55,7 @@ let
|
|||
storePath = config.boot.loader.grub.storePath;
|
||||
bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
|
||||
timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
|
||||
users = if cfg.users == {} || cfg.version != 1 then cfg.users else throw "GRUB version 1 does not support user accounts.";
|
||||
inherit efiSysMountPoint;
|
||||
inherit (args) devices;
|
||||
inherit (efi) canTouchEfiVariables;
|
||||
|
@ -137,6 +138,67 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
default = {};
|
||||
example = {
|
||||
root = { hashedPasswordFile = "/path/to/file"; };
|
||||
};
|
||||
description = ''
|
||||
User accounts for GRUB. When specified, the GRUB command line and
|
||||
all boot options except the default are password-protected.
|
||||
All passwords and hashes provided will be stored in /boot/grub/grub.cfg,
|
||||
and will be visible to any local user who can read this file. Additionally,
|
||||
any passwords and hashes provided directly in a Nix configuration
|
||||
(as opposed to external files) will be copied into the Nix store, and
|
||||
will be visible to all local users.
|
||||
'';
|
||||
type = with types; attrsOf (submodule {
|
||||
options = {
|
||||
hashedPasswordFile = mkOption {
|
||||
example = "/path/to/file";
|
||||
default = null;
|
||||
type = with types; uniq (nullOr str);
|
||||
description = ''
|
||||
Specifies the path to a file containing the password hash
|
||||
for the account, generated with grub-mkpasswd-pbkdf2.
|
||||
This hash will be stored in /boot/grub/grub.cfg, and will
|
||||
be visible to any local user who can read this file.
|
||||
'';
|
||||
};
|
||||
hashedPassword = mkOption {
|
||||
example = "grub.pbkdf2.sha512.10000.674DFFDEF76E13EA...2CC972B102CF4355";
|
||||
default = null;
|
||||
type = with types; uniq (nullOr str);
|
||||
description = ''
|
||||
Specifies the password hash for the account,
|
||||
generated with grub-mkpasswd-pbkdf2.
|
||||
This hash will be copied to the Nix store, and will be visible to all local users.
|
||||
'';
|
||||
};
|
||||
passwordFile = mkOption {
|
||||
example = "/path/to/file";
|
||||
default = null;
|
||||
type = with types; uniq (nullOr str);
|
||||
description = ''
|
||||
Specifies the path to a file containing the
|
||||
clear text password for the account.
|
||||
This password will be stored in /boot/grub/grub.cfg, and will
|
||||
be visible to any local user who can read this file.
|
||||
'';
|
||||
};
|
||||
password = mkOption {
|
||||
example = "Pa$$w0rd!";
|
||||
default = null;
|
||||
type = with types; uniq (nullOr str);
|
||||
description = ''
|
||||
Specifies the clear text password for the account.
|
||||
This password will be copied to the Nix store, and will be visible to all local users.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
mirroredBoots = mkOption {
|
||||
default = [ ];
|
||||
example = [
|
||||
|
|
|
@ -247,6 +247,45 @@ if ($grubVersion == 1) {
|
|||
}
|
||||
|
||||
else {
|
||||
my @users = ();
|
||||
foreach my $user ($dom->findnodes('/expr/attrs/attr[@name = "users"]/attrs/attr')) {
|
||||
my $name = $user->findvalue('@name') or die;
|
||||
my $hashedPassword = $user->findvalue('./attrs/attr[@name = "hashedPassword"]/string/@value');
|
||||
my $hashedPasswordFile = $user->findvalue('./attrs/attr[@name = "hashedPasswordFile"]/string/@value');
|
||||
my $password = $user->findvalue('./attrs/attr[@name = "password"]/string/@value');
|
||||
my $passwordFile = $user->findvalue('./attrs/attr[@name = "passwordFile"]/string/@value');
|
||||
|
||||
if ($hashedPasswordFile) {
|
||||
open(my $f, '<', $hashedPasswordFile) or die "Can't read file '$hashedPasswordFile'!";
|
||||
$hashedPassword = <$f>;
|
||||
chomp $hashedPassword;
|
||||
}
|
||||
if ($passwordFile) {
|
||||
open(my $f, '<', $passwordFile) or die "Can't read file '$passwordFile'!";
|
||||
$password = <$f>;
|
||||
chomp $password;
|
||||
}
|
||||
|
||||
if ($hashedPassword) {
|
||||
if (index($hashedPassword, "grub.pbkdf2.") == 0) {
|
||||
$conf .= "\npassword_pbkdf2 $name $hashedPassword";
|
||||
}
|
||||
else {
|
||||
die "Password hash for GRUB user '$name' is not valid!";
|
||||
}
|
||||
}
|
||||
elsif ($password) {
|
||||
$conf .= "\npassword $name $password";
|
||||
}
|
||||
else {
|
||||
die "GRUB user '$name' has no password!";
|
||||
}
|
||||
push(@users, $name);
|
||||
}
|
||||
if (@users) {
|
||||
$conf .= "\nset superusers=\"" . join(' ',@users) . "\"\n";
|
||||
}
|
||||
|
||||
if ($copyKernels == 0) {
|
||||
$conf .= "
|
||||
" . $grubStore->search;
|
||||
|
@ -350,7 +389,7 @@ sub copyToKernelsDir {
|
|||
}
|
||||
|
||||
sub addEntry {
|
||||
my ($name, $path) = @_;
|
||||
my ($name, $path, $options) = @_;
|
||||
return unless -e "$path/kernel" && -e "$path/initrd";
|
||||
|
||||
my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
|
||||
|
@ -396,7 +435,7 @@ sub addEntry {
|
|||
$conf .= " " . ($xen ? "module" : "kernel") . " $kernel $kernelParams\n";
|
||||
$conf .= " " . ($xen ? "module" : "initrd") . " $initrd\n\n";
|
||||
} else {
|
||||
$conf .= "menuentry \"$name\" {\n";
|
||||
$conf .= "menuentry \"$name\" " . ($options||"") . " {\n";
|
||||
$conf .= $grubBoot->search . "\n";
|
||||
if ($copyKernels == 0) {
|
||||
$conf .= $grubStore->search . "\n";
|
||||
|
@ -413,7 +452,7 @@ sub addEntry {
|
|||
# Add default entries.
|
||||
$conf .= "$extraEntries\n" if $extraEntriesBeforeNixOS;
|
||||
|
||||
addEntry("NixOS - Default", $defaultConfig);
|
||||
addEntry("NixOS - Default", $defaultConfig, "--unrestricted");
|
||||
|
||||
$conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS;
|
||||
|
||||
|
|
Loading…
Reference in a new issue