[Xen-devel] [PATCH] Add password support to pygrub for GRUB bootloader

[Michal Novotny <minovotn@xxxxxxxxxx>]

Hi,
this is the patch to add password support to pygrub for GRUB bootloader. 
It basically checks for the presence of password line in grub.conf of 
the guest image and if this line is present, it supports both clear text 
and md5 versions of the password. Editing the grub entries and 
command-line are disabled when some password is set in domain's 
grub.conf file but the password was not entered yet. Also, new option to 
press 'p' in interactive pygrub has been added to allow entering the 
grub password. It's been tested on x86_64 with PV guests and was working 
fine. Also, the countdown has been stopped after key was pressed, ie. 
the user is probably editing the boot configuration.
Michal

Signed-off-by: Michal Novotny <minovotn@xxxxxxxxxx>

diff -r 145e49b8574c tools/pygrub/src/GrubConf.py
--- a/tools/pygrub/src/GrubConf.py      Tue May 19 23:44:28 2009 +0100
+++ b/tools/pygrub/src/GrubConf.py      Thu Aug 20 16:58:04 2009 +0200
@@ -157,6 +157,7 @@ class GrubConfigFile(object):
         self.images = []
         self.timeout = -1
         self._default = 0
+        self.passwordAccess = True
 
         if fn is not None:
             self.parse()
@@ -196,6 +197,7 @@ class GrubConfigFile(object):
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
                     setattr(self, self.commands[com], arg.strip())
+                    #print "%s = %s => %s" % (com, self.commands[com], 
arg.strip() )
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:
@@ -203,6 +205,37 @@ class GrubConfigFile(object):
                 
         if len(img) > 0:
             self.add_image(GrubImage(img))
+
+        if self.hasPassword():
+            self.setPasswordAccess(False)
+
+    def hasPasswordAccess(self):
+        return self.passwordAccess
+
+    def setPasswordAccess(self, val):
+        self.passwordAccess = val
+
+    def hasPassword(self):
+        try:
+            getattr(self, self.commands['password'])
+            return True
+        except KeyError, e:
+            return False
+
+    def checkPassword(self, password):
+        try:
+            pwd = getattr(self, self.commands['password']).split()
+            if pwd[0] == '--md5':
+                import crypt
+                if crypt.crypt(password, pwd[1]) == pwd[1]:
+                    return True
+
+            if pwd[0] == password:
+                return True
+
+            return False
+        except:
+            return True
 
     def set(self, line):
         (com, arg) = grub_exact_split(line, 2)
diff -r 145e49b8574c tools/pygrub/src/pygrub
--- a/tools/pygrub/src/pygrub   Tue May 19 23:44:28 2009 +0100
+++ b/tools/pygrub/src/pygrub   Thu Aug 20 16:58:04 2009 +0200
@@ -418,7 +418,14 @@ class Grub:
             self.text_win.addstr(0, 0, "Use the U and D keys to select which 
entry is highlighted.")
             self.text_win.addstr(1, 0, "Press enter to boot the selected OS. 
'e' to edit the")
             self.text_win.addstr(2, 0, "commands before booting, 'a' to modify 
the kernel arguments ")
-            self.text_win.addstr(3, 0, "before booting, or 'c' for a command 
line.")
+
+            # if grub has password defined we allow option to enter password
+            if not self.cf.hasPassword():
+                self.text_win.addstr(3, 0, "before booting, or 'c' for a 
command line.")
+            else:
+                self.text_win.addstr(3, 0, "before booting, or 'c' for a 
command line. You can also")
+                self.text_win.addstr(4, 0, "press 'p' to enter password for 
modifications...")
+
             self.text_win.addch(0, 8, curses.ACS_UARROW)
             self.text_win.addch(0, 14, curses.ACS_DARROW)
             (y, x) = self.text_win.getmaxyx()
@@ -457,9 +464,19 @@ class Grub:
 
             # handle keypresses
             if c == ord('c'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB 
password first")
+                    break
+
                 self.command_line_mode()
                 break
             elif c == ord('a'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB 
password first")
+                    break
+
                 # find the kernel line, edit it and then boot
                 img = self.cf.images[self.selected_image]
                 for line in img.lines:
@@ -471,8 +488,23 @@ class Grub:
                             break
                 break
             elif c == ord('e'):
+                # we disallow access without password specified
+                if not self.cf.hasPasswordAccess():
+                    self.text_win.addstr(6, 8, "You have to enter GRUB 
password first")
+                    break
+
                 img = self.cf.images[self.selected_image]
                 self.edit_entry(img)
+                break
+            elif c == ord('p') and self.cf.hasPassword():
+                self.text_win.addstr(6, 8, "Enter password: ")
+                pwd = self.text_win.getstr(6, 8)
+                if not self.cf.checkPassword(pwd):
+                    self.text_win.addstr(6, 8, "Incorrect password!")
+                    self.cf.setPasswordAccess( False )
+                else:
+                    self.text_win.addstr(6, 8, "Access granted     ")
+                    self.cf.setPasswordAccess( True )
                 break
             elif c in (curses.KEY_ENTER, ord('\n'), ord('\r')):
                 self.isdone = True

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel