[syslinux] SYSLINUX 2.09, 2.10-pre1 released

Josef Siemes jsiemes at web.de
Fri Apr 30 00:47:27 PDT 2004 

Hi,

"H. Peter Anvin" <hpa at zytor.com> schrieb am 29.04.04 20:12:16:
> Gebhardt Thomas wrote:
> > I'd really appreciate if there were a PXELINUX option that would prevent
> > users from adding kernel commandline boot parameters apart from the
> > options nailed down in the configuration file. This is a very basic security 
> > issue in an unattended, potentially hostile environment if you don't want 
> > user to become root (init=/bin/sh), a situation not that uncommon.
> > 
> > I hope that such a configuration flag is not that complicated to implement,
> > since it is not a really new feature, but just disables an already functional
> > feature.
> > 
> 
> It's a new feature, and it is unfortunately reasonably complex to 
> implement.  What makes me really question the value is that it's not 
> clear to me that there aren't other security holes in the whole scenario.

I've also asked for this a while ago, so this discussion isn't new.

For pxelinux it would at least allow to lock the ordinary User out of kernel commandline
parameters. There are much hints how to get a root shell by adding 'init=/bin/sh', so
actually the user gets root access without much effort. If pxelinux locks the command
line it would be somewhat harder: Either the user prevents pxelinux to read the config file
at all (perhaps by pulling out the network cable at the right moment?) or needs to do some
bios hacking. At least there wouldn't be the 'obvious' way.

For iso/syslinux maybe this could also lock the user to a fixed configuration. This couldn't be
fixed easy, since writing the config file could be a really hard time. But it could have its use
too.

For implementation: Isn't there some point in the code where the commandline for the kernel is concatenated? So the options from the config file are taken, then the options following the label on the command line are added? Why not just skip adding the options following the label?
I've tried to find the right place for this in the code, but seems I've not enough assembler skills
for this ...

Regards,

Josef

____________________________________________________________________
Der WEB.DE Virenschutz schuetzt Ihr Postfach vor dem Wurm Sober.A-F!
Kostenfrei fuer FreeMail Nutzer. http://f.web.de/?mc=021158

More information about the Syslinux mailing list