vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

* docs/grub.texi (Security): Menu entries are unrestricted by

Browse source 
default, not restricted to superusers as I had previously thought.
Reword to account for this.
This commit is contained in:
Colin Watson 2010-06-08 10:18:53 +01:00
parent e0f4c43882
commit 6ef0ddb476
2 changed files with 19 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ChangeLog
View file

@ -1,3 +1,9 @@
2010-06-08 Colin Watson <cjwatson@ubuntu.com>
* docs/grub.texi (Security): Menu entries are unrestricted by
default, not restricted to superusers as I had previously thought.
Reword to account for this.
2010-06-07 Colin Watson <cjwatson@ubuntu.com> 2010-06-07 Colin Watson <cjwatson@ubuntu.com>
* kern/emu/misc.c (device_mapper_null_log): New function. * kern/emu/misc.c (device_mapper_null_log): New function.

18
docs/grub.texi
View file

@ -1946,11 +1946,14 @@ sets the password hashed using the Password-Based Key Derivation Function
In order to enable authentication support, the @samp{superusers} environment In order to enable authentication support, the @samp{superusers} environment
variable must be set to a list of usernames, separated by any of spaces, variable must be set to a list of usernames, separated by any of spaces,
commas, semicolons, pipes, or ampersands. Superusers are permitted to use commas, semicolons, pipes, or ampersands. Superusers are permitted to use
the GRUB command line, edit menu entries, and execute any menu entry. the GRUB command line, edit menu entries, and execute any menu entry. If
@samp{superusers} is set, then use of the command line is automatically
restricted to superusers.
Other users may be given access to specific menu entries by giving a list of Other users may be given access to specific menu entries by giving a list of
usernames (as above) using the @kbd{--users} option to the @samp{menuentry} usernames (as above) using the @option{--users} option to the
command (@pxref{menuentry}). @samp{menuentry} command (@pxref{menuentry}). If the @option{--users}
option is not used for a menu entry, then that entry is unrestricted.
Putting this together, a typical @file{grub.cfg} fragment might look like Putting this together, a typical @file{grub.cfg} fragment might look like
this: this:
@ -1961,12 +1964,17 @@ set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure password user1 insecure
menuentry "Superusers only" @{ menuentry "May be run by any user" @{
set root=(hd0,1) set root=(hd0,1)
linux /vmlinuz linux /vmlinuz
@} @}
menuentry "May be run by user1" --users user1 @{ menuentry "Superusers only" --users "" @{
set root=(hd0,1)
linux /vmlinuz single
@}
menuentry "May be run by user1 or a superuser" --users user1 @{
set root=(hd0,2) set root=(hd0,2)
chainloader +1 chainloader +1
@} @}