FreeBSD Bugzilla – Attachment 126349 Details for
Bug 170110
loader.conf bootmenu password prevents OS from loading
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
patch.txt
patch.txt (text/plain), 8.09 KB, created by
devin.teske
on 2012-12-10 22:52:39 UTC
(
hide
)
Description:
patch.txt
Filename:
MIME Type:
Creator:
devin.teske
Created:
2012-12-10 22:52:39 UTC
Size:
8.09 KB
patch
obsolete
>Index: loader.4th.8 >=================================================================== >--- loader.4th.8 (revision 244048) >+++ loader.4th.8 (working copy) >@@ -99,7 +99,7 @@ This > is the command used in the default > .Pa /boot/loader.rc > file, and it uses the >-.Pa autoboot >+.Ic autoboot > command (see > .Xr loader 8 ) , > so it can be stopped for further interaction with >Index: beastie.4th.8 >=================================================================== >--- beastie.4th.8 (revision 244048) >+++ beastie.4th.8 (working copy) >@@ -1,4 +1,4 @@ >-.\" Copyright (c) 2011 Devin Teske >+.\" Copyright (c) 2011-2012 Devin Teske > .\" All rights reserved. > .\" > .\" Redistribution and use in source and binary forms, with or without >@@ -94,8 +94,9 @@ The > variable can be configured in > .Xr loader.conf 5 > to the number of seconds you would like to delay loading the boot menu. >-During the delay the user can press Ctrl-C to fall back to autoboot or ENTER >-to proceed. >+During the delay the user can press Ctrl-C to fall back to >+.Ic autoboot >+or ENTER to proceed. > The default behavior is to not delay. > .El > .Pp >Index: check-password.4th.8 >=================================================================== >--- check-password.4th.8 (revision 244048) >+++ check-password.4th.8 (working copy) >@@ -1,4 +1,4 @@ >-.\" Copyright (c) 2011 Devin Teske >+.\" Copyright (c) 2011-2012 Devin Teske > .\" All rights reserved. > .\" > .\" Redistribution and use in source and binary forms, with or without >@@ -24,7 +24,7 @@ > .\" > .\" $FreeBSD$ > .\" >-.Dd May 18, 2011 >+.Dd December 10, 2012 > .Dt CHECK-PASSWORD.4TH 8 > .Os > .Sh NAME >@@ -33,7 +33,8 @@ > .Sh DESCRIPTION > The file that goes by the name of > .Nm >-is a set of commands designed to prevent booting without the proper password. >+is a set of commands designed to either prevent booting or prevent modification >+of boot options without an appropriately configured password. > The commands of > .Nm > by themselves are not enough for most uses. >@@ -57,30 +58,36 @@ The commands provided by it are: > .Pp > .Bl -tag -width disable-module_module -compact -offset indent > .It Ic check-password >-Once called, the user cannot continue until the correct password is entered. >-If the user enters the correct password the function returns. >+Dual-purpose function that can either protect the interactive boot menu or >+prevent boot without password (separately). > .Pp >-The password that is required is configured by setting the >-.Ic password >-variable in >-.Xr loader.conf 5 . >+First checks >+.Va bootlock_password >+and if-set, the user cannot continue until the correct password is entered. > .Pp >-Subsequent calls after a successful password >-has been entered will not cause reprompting >-\(em the function will silently return. >+Next checks >+.Va password >+and if-set, tries to >+.Ic autoboot >+and only prompts for password on failure or user-interrupt. >+See >+.Xr loader.conf 5 >+for additional information. > .El > .Pp > The environment variables that effect its behavior are: >-.Bl -tag -width bootfile -offset indent >+.Bl -tag -width bootlock_password -offset indent >+.It Va bootlock_password >+Sets the bootlock password (up to 16 characters long) that is required by >+.Ic check-password >+to be entered before the system is allowed to boot. > .It Va password > Sets the password (up to 16 characters long) that is required by > .Ic check-password >-to be entered before the system is allowed to boot. If unset (default) or NULL, >-.Ic check-password >-will silently abort. >+before the user is allowed to visit the boot menu. > .El > .Sh FILES >-.Bl -tag -width /boot/loader.4th -compact >+.Bl -tag -width /boot/check-password.4th -compact > .It Pa /boot/loader > The > .Xr loader 8 . >@@ -101,11 +108,20 @@ check-password > .Ed > .Pp > Set a password in >-.Xr loader.conf 5 : >+.Xr loader.conf 5 >+to prevent modification of boot options: > .Pp > .Bd -literal -offset indent -compact > password="abc123" > .Ed >+.Pp >+Set a password in >+.Xr loader.conf 5 >+to prevent booting without password: >+.Pp >+.Bd -literal -offset indent -compact >+bootlock_password="boot" >+.Ed > .Sh SEE ALSO > .Xr loader.conf 5 , > .Xr loader 8 , >Index: loader.conf.5 >=================================================================== >--- loader.conf.5 (revision 244048) >+++ loader.conf.5 (working copy) >@@ -23,7 +23,7 @@ > .\" SUCH DAMAGE. > .\" > .\" $FreeBSD$ >-.Dd July 20, 2011 >+.Dd December 10, 2012 > .Dt LOADER.CONF 5 > .Os > .Sh NAME >@@ -113,8 +113,23 @@ that contains a kernel. > .It Ar kernel_options > Flags to be passed to the kernel. > .It Ar password >+Protect boot menu with a password without interrupting >+.Ic autoboot >+process. >+The password should be in clear text format. >+If a password is set, boot menu will not appear until any key is pressed during >+countdown period specified by >+.Va autoboot_delay >+variable or >+.Ic autoboot >+process fails. >+In both cases user should provide specified password to be able to access boot >+menu. >+.It Ar bootlock_password > Provides a password to be required by check-password before execution is > allowed to continue. >+The password should be in clear text format. >+If a password is set, the user must provide specified password to boot. > .It Ar verbose_loading > If set to > .Dq YES , >Index: menu.4th.8 >=================================================================== >--- menu.4th.8 (revision 244048) >+++ menu.4th.8 (working copy) >@@ -1,4 +1,4 @@ >-.\" Copyright (c) 2011 Devin Teske >+.\" Copyright (c) 2011-2012 Devin Teske > .\" All rights reserved. > .\" > .\" Redistribution and use in source and binary forms, with or without >@@ -108,8 +108,9 @@ will wait for user input and never execute > If set to > .Dq Li -1 , > .Ic menu-display >-will boot immediately, preventing both interruption of the autoboot process and >-escaping to the loader prompt. >+will boot immediately, preventing both interruption of the >+.Ic autoboot >+process and escaping to the loader prompt. > Default is > .Dq Li 10 . > See >Index: check-password.4th >=================================================================== >--- check-password.4th (revision 244048) >+++ check-password.4th (working copy) >@@ -1,4 +1,4 @@ >-\ Copyright (c) 2006-2011 Devin Teske <dteske@FreeBSD.org> >+\ Copyright (c) 2006-2012 Devin Teske <dteske@FreeBSD.org> > \ All rights reserved. > \ > \ Redistribution and use in source and binary forms, with or without >@@ -74,7 +74,7 @@ variable readlen \ input length > again > ; > >-: read ( -- String prompt ) >+: read ( String prompt -- ) > > 0 25 at-xy \ Move the cursor to the bottom-left > dup 1+ read-start ! \ Store X offset after the prompt >@@ -134,23 +134,37 @@ variable readlen \ input length > > : check-password ( -- ) > >- \ Exit if a password was not set >- s" password" getenv dup -1 = if >- drop exit >+ \ Do not allow the user to proceed beyond this point if a boot-lock >+ \ password has been set (preventing even boot from proceeding) >+ s" bootlock_password" getenv dup -1 <> if >+ begin >+ s" Boot Password: " read ( prompt -- ) >+ 2dup readval readlen @ compare 0<> >+ while >+ 3000 ms ." loader: incorrect password" 10 emit >+ again >+ 2drop ( c-addr/u ) >+ else >+ drop ( -1 ) \ getenv cruft > then > >- begin \ Loop as long as it takes to get the right password >+ \ Exit if a password was not set >+ s" password" getenv -1 = if exit else drop then > >- s" Password: " \ Output a prompt for a password >- read \ Read the user's input until Enter >+ \ We should prevent the user from visiting the menu or dropping to the >+ \ interactive loader(8) prompt, but still allow the machine to boot... > >+ autoboot ( -- ) >+ >+ \ Only reached if autoboot fails for any reason (including if/when >+ \ the user aborts/escapes the countdown sequence leading to boot). >+ >+ s" password" getenv >+ begin >+ s" Password: " read ( prompt -- ) > 2dup readval readlen @ compare 0= if > 2drop exit \ Correct password > then >- >- \ Bad Password >- 3000 ms >- ." loader: incorrect password" 10 emit >- >- again \ Not the right password; repeat >+ 3000 ms ." loader: incorrect password" 10 emit >+ again > ;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=126349">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 170110
:
126348
| 126349 |
126350