[syslinux] SYSLINUX 2.09, 2.10-pre1 released
Marc Haisenko
haisenko at be-ok.com
Fri Apr 30 01:24:48 PDT 2004
On Thursday 29 April 2004 19:56, H. Peter Anvin wrote:
> Gebhardt Thomas wrote:
> > Hi,
> >
> > I'd really appreciate if there were a PXELINUX option that would prevent
> > users from adding kernel commandline boot parameters apart from the
> > options nailed down in the configuration file. This is a very basic
> > security issue in an unattended, potentially hostile environment if you
> > don't want user to become root (init=/bin/sh), a situation not that
> > uncommon.
> >
> > I hope that such a configuration flag is not that complicated to
> > implement, since it is not a really new feature, but just disables an
> > already functional feature.
>
> It's a new feature, and it is unfortunately reasonably complex to
> implement. What makes me really question the value is that it's not
> clear to me that there aren't other security holes in the whole scenario.
>
> -hpa
Well, after a very brief look at the comments it seems to me that in
runkernel.inc the following happens: first the append=... options are added
to the kernel options and then the options provided by the command line.
Wouldn't it be easy to implement a configuration option that would skip
construct_commandline and jump to commandline_end ? That would do just what
all these people ask for (that request isn't showing up for the first time).
Or did you think of another (better, cleaner ?) way to implement such a "skip
commandline options" feature ?
C'ya,
Marc
--
Marc Haisenko
Linux Solutions
Be O.K. service group GmbH
Rüdesheimer Straße 7
D-80686 München
Tel: +49 (0)89 - 54 84 99 73
Fax: +49 (0)89 - 54 84 99 28
e-mail: haisenko at be-ok.com
http://www.be-ok.com
More information about the Syslinux
mailing list