[syslinux] pxelinux feature request

H. Peter Anvin hpa at zytor.com
Mon Jan 3 18:30:59 PST 2005


Jim Cromie wrote:
> 
> while and include mechanism would be nice,
> I would be a bit concerned about the exposure to a trojan file.
> 
> and what if numeric ips are later supplemented with DNS lookups ?
> are you now exposed to dns hijacking w/in your network ?
> 
> If this duct-tape is holding your enterprise together,
> it seems safer to get updates by email, then push those
> out after youve inspected them etc..
> 
> how much updating do you envision happening that
> a simpler include mechanism would still be a burden?
> 
> Further, it seems that it doesnt cover the whole problem,
> youve still got a DHCP server in most situations, and having
> one config-base shifting independently and uncoordinated
> with another seems to be asking for trouble.
> 
> It doesnt seem impractical to write scripts or a makefile
> to do sanity checks and automate the tedious parts.
> 
> I suppose it could be a compile-time option, and the paranoid
> could turn it off
> 

The big problem with supplying an include directive is that it is a 
fairly major change to the code to allow having more than one include 
file open at the same time... there is only one statically allocated 
buffer for the config file, and there isn't space for more.

And yet, it doesn't buy you anything (other than more points of failure) 
you can't already accomplish by stitching the files together on the 
server side.

The more points of failure is particularly drastic if you include stuff 
from multiple servers; if ANY server is down then bad things happen...

	-hpa




More information about the Syslinux mailing list