alfred/bash-stuff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add grub root password management support.

Browse Source
This commit is contained in:
Captain ALM 2024-08-20 22:59:21 +01:00
parent c2d6361bf0
commit 3f7fbe8740
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
2 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
install-grub-security.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
echo "[+] Installing GRUB 2 Security..."; echo "[+] Installing GRUB 2 Security...";
echo "[i] Use --force to regenerate the signing key; clears ALL root's GPG keys!" echo "[i] Use --force to regenerate the signing key; clears ALL root's GPG keys!";
echo "[i] Use --no-pwd-prompt to use the hash for the GRUB user 'root' provided by grub.d.my.7z";
echo "[?] WARNING Make sure the current GRUB version does not have any bugs with gpg before installing, use CTRL+C to quit, enter to continue:"; echo "[?] WARNING Make sure the current GRUB version does not have any bugs with gpg before installing, use CTRL+C to quit, enter to continue:";
read; read;
sudo cp bin/* /bin/ -f; sudo cp bin/* /bin/ -f;
@ -10,10 +11,21 @@ sudo cp kernel-hooks/* /etc/kernel/ -fr;
sudo cp lib-systemd-system-sleep/* /usr/lib/systemd/system-sleep/ -f; sudo cp lib-systemd-system-sleep/* /usr/lib/systemd/system-sleep/ -f;
sudo 7za x -o/etc grub.d.my.7z -y; sudo 7za x -o/etc grub.d.my.7z -y;
sudo chmod +x /etc/grub.d/*; sudo chmod +x /etc/grub.d/*;
if [[ "$1" != "--no-pwd-prompt" ]] && [[ "$2" != "--no-pwd-prompt" ]]; then
echo "[i] Please enter your password TWICE pressing ENTER (RETURN) after EACH entry.";
echo "[i] There is no visible output.";
gphash=$(grub-mkpasswd-pbkdf2 -c 10000 | awk '/grub.pbkdf/{print$NF}' | sed -e 's:\.:\\\.:g');
if ! [ -z $gphash ] && [ -f /etc/grub.d/00_header ]; then
echo "[+] Setting GRUB Password...";
sudo sed -i "s/.*password_pbkdf2 root grub\.pbkdf2.*/password_pbkdf2 root $gphash/" /etc/grub.d/00_header;
fi;
else
echo "[*] Using grub.d.my.7z hash for GRUB user 'root'!";
fi;
sudo cp sbat /root/sbat -f; sudo cp sbat /root/sbat -f;
sudo cp stop_timeout.conf /etc/systemd/system.conf.d/60_custom.conf -f; sudo cp stop_timeout.conf /etc/systemd/system.conf.d/60_custom.conf -f;
sudo systemctl daemon-reload; sudo systemctl daemon-reload;
if [[ "$1" == "--force" ]]; then if [[ "$1" == "--force" ]] || [[ "$2" == "--force" ]]; then
echo "[?] WARNING Clearing previous gpg keys in root, use CTRL+C to quit, enter to continue:"; echo "[?] WARNING Clearing previous gpg keys in root, use CTRL+C to quit, enter to continue:";
read; read;
sudo rm -f /root/pubkey; sudo rm -f /root/pubkey;

13
update-grub-root-password.sh Executable file
View File

@ -0,0 +1,13 @@
#/bin/bash
echo "[i] Please enter your password TWICE pressing ENTER (RETURN) after EACH entry.";
echo "[i] There is no visible output.";
gphash=$(grub-mkpasswd-pbkdf2 -c 10000 | awk '/grub.pbkdf/{print$NF}' | sed -e 's:\.:\\\.:g');
if [ -z $gphash ] || ! [ -f /etc/grub.d/00_header ]; then
echo "[-] Could not update GRUB Password.";
exit 1;
fi;
echo "[+] Updating GRUB Password...";
sudo sed -i "s/.*password_pbkdf2 root grub\.pbkdf2.*/password_pbkdf2 root $gphash/" /etc/grub.d/00_header;
echo "[+] Updated GRUB Password!";
sudo grub-update;
exit 0;