[syslinux] SYSLINUX 2.09, 2.10-pre1 released

Marc Haisenko haisenko at be-ok.com
Fri Apr 30 01:24:48 PDT 2004

On Thursday 29 April 2004 19:56, H. Peter Anvin wrote:
> Gebhardt Thomas wrote:
> > Hi,
> >
> > I'd really appreciate if there were a PXELINUX option that would prevent
> > users from adding kernel commandline boot parameters apart from the
> > options nailed down in the configuration file. This is a very basic
> > security issue in an unattended, potentially hostile environment if you
> > don't want user to become root (init=/bin/sh), a situation not that
> > uncommon.
> >
> > I hope that such a configuration flag is not that complicated to
> > implement, since it is not a really new feature, but just disables an
> > already functional feature.
> It's a new feature, and it is unfortunately reasonably complex to
> implement.  What makes me really question the value is that it's not
> clear to me that there aren't other security holes in the whole scenario.
> 	-hpa

Well, after a very brief look at the comments it seems to me that in 
runkernel.inc the following happens: first the append=... options are added 
to the kernel options and then the options provided by the command line. 
Wouldn't it be easy to implement a configuration option that would skip 
construct_commandline and jump to commandline_end ? That would do just what 
all these people ask for (that request isn't showing up for the first time).

Or did you think of another (better, cleaner ?) way to implement such a "skip 
commandline options" feature ?

Marc Haisenko
Linux Solutions
Be O.K. service group GmbH

Rüdesheimer Straße 7
D-80686 München
Tel:   +49 (0)89 - 54 84 99 73
Fax:   +49 (0)89 - 54 84 99 28
e-mail: haisenko at be-ok.com

More information about the Syslinux mailing list