From 6ef0ddb4760e58f5dad51169a42e0c77cb5f41d5 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 8 Jun 2010 10:18:53 +0100 Subject: [PATCH] * docs/grub.texi (Security): Menu entries are unrestricted by default, not restricted to superusers as I had previously thought. Reword to account for this. --- ChangeLog | 6 ++++++ docs/grub.texi | 18 +++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index c28f77bc8..ce24487d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2010-06-08 Colin Watson + + * docs/grub.texi (Security): Menu entries are unrestricted by + default, not restricted to superusers as I had previously thought. + Reword to account for this. + 2010-06-07 Colin Watson * kern/emu/misc.c (device_mapper_null_log): New function. diff --git a/docs/grub.texi b/docs/grub.texi index ffc6b8fe2..1c23460ea 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -1946,11 +1946,14 @@ sets the password hashed using the Password-Based Key Derivation Function In order to enable authentication support, the @samp{superusers} environment variable must be set to a list of usernames, separated by any of spaces, commas, semicolons, pipes, or ampersands. Superusers are permitted to use -the GRUB command line, edit menu entries, and execute any menu entry. +the GRUB command line, edit menu entries, and execute any menu entry. If +@samp{superusers} is set, then use of the command line is automatically +restricted to superusers. Other users may be given access to specific menu entries by giving a list of -usernames (as above) using the @kbd{--users} option to the @samp{menuentry} -command (@pxref{menuentry}). +usernames (as above) using the @option{--users} option to the +@samp{menuentry} command (@pxref{menuentry}). If the @option{--users} +option is not used for a menu entry, then that entry is unrestricted. Putting this together, a typical @file{grub.cfg} fragment might look like this: @@ -1961,12 +1964,17 @@ set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring password user1 insecure -menuentry "Superusers only" @{ +menuentry "May be run by any user" @{ set root=(hd0,1) linux /vmlinuz @} -menuentry "May be run by user1" --users user1 @{ +menuentry "Superusers only" --users "" @{ + set root=(hd0,1) + linux /vmlinuz single +@} + +menuentry "May be run by user1 or a superuser" --users user1 @{ set root=(hd0,2) chainloader +1 @}