Add "here document" block to 40_custom #2751
Conversation
Signed-off-by: pq2 <[email protected]>
| cat << EOF | ||
| # Password-protect GRUB | ||
| set superusers="grub" | ||
| password_pbkdf2 grub $GRUB_PASS |
There was a problem hiding this comment.
Hi, thanks for your PR but I wonder if this is really necessary since there is already a surrounding cat command. Why should this make it work? Cannot we fix the surrounding cat command somehow?
There was a problem hiding this comment.
Adding those two lines fixed the issue for me. I don't know if it's possible to adjust the surrounding cat. To be honest, this solution was suggested to me by an AI, but the sources given seemed to me to fit the problem and made sense (unfortunately, the main source no longer seems to be available without an account).
There was a problem hiding this comment.
Can you show me the content of /etc/grub.d/40_custom on your instance after applying the patch?
There was a problem hiding this comment.
# Password-protect GRUB
cat << EOF
set superusers="grub"
password_pbkdf2 grub grub.pbkdf2.sha512.10000.XXXXXXX
EOF
There was a problem hiding this comment.
I fear this is not doing anything. It just stores the content in the EOF variable IIRC. So the solution does not seem correct to me...
There was a problem hiding this comment.
All I can say is that before applying this fix, updating my system always failed because apt tried to install a new kernel version, which is why update-grub was run, and this always resulted in “password_pbkdf2: not found” and a three digit return value. After this fix it worked fine.
There was a problem hiding this comment.
Yes it works fine because the config is bascially disabled...
password_pbkdf2: not found
The question is why this binary is not found?
There was a problem hiding this comment.
Yes it works fine because the config is bascially disabled...
Then, of course, this fix is not a solution
The question is why this binary is not found?
I was wondering the same thing. This problem seems to have come out of nowhere. /boot/grub2/x86_64-efi/password_pbkdf2.mod exists.
There was a problem hiding this comment.
I looked in to this again. It doesn't seem like this fix disables the config. After applying the fix and running update-grub, I can still find both commands inside the here document in /boot/grub/grub.cfg.
Microsofts Copilot says the reason for this is the following:
The command update-grub (or rather grub-mkconfig) generates the final grub.cfg file, which is used during boot. This file contains pure GRUB script that is interpreted directly by the GRUB bootloader, not by the Bash shell.
However, the file /etc/grub.d/40_custom is a shell script. That means:
Everything in that file is initially interpreted by Bash. If you insert password_pbkdf2 directly, Bash doesn't recognize it as a valid command → you get an error message.That's why you need a workaround: using a here document (cat <<EOF ... EOF) you generate a text block that gets copied into the generated grub.cfg without being executed by Bash. This way, GRUB will later understand commands like password_pbkdf2, while Bash doesn't complain when building the configuration.
In simple terms:
40_custom: interpreted by Bash → needs cat <<EOF. grub.cfg: interpreted by GRUB → contains real password_pbkdf2.
Assuming that this explanation is correct, I still don't understand why it previously worked without the here document.
There was a problem hiding this comment.
I see. the explanation makes sense. However you are right that it is weird that it worked formally. Anyway, fine by me to proceed with this 👍
3 participants
When using "update_grub"
password_pbkdf2was interpreted as a bash command. This lead to the error "password_pbkdf2: not found". This should fix the issue.