* docs/grub.texi (Security): Menu entries are unrestricted by
default, not restricted to superusers as I had previously thought. Reword to account for this.
This commit is contained in:
Colin Watson
parent
e0f4c43882
commit
6ef0ddb476
|
|
@ -1,3 +1,9 @@
|
||||||
|
2010-06-08 Colin Watson <cjwatson@ubuntu.com>
|
||||||
|
|
||||||
|
* docs/grub.texi (Security): Menu entries are unrestricted by
|
||||||
|
default, not restricted to superusers as I had previously thought.
|
||||||
|
Reword to account for this.
|
||||||
|
|
||||||
2010-06-07 Colin Watson <cjwatson@ubuntu.com>
|
2010-06-07 Colin Watson <cjwatson@ubuntu.com>
|
||||||
|
|
||||||
* kern/emu/misc.c (device_mapper_null_log): New function.
|
* kern/emu/misc.c (device_mapper_null_log): New function.
|
||||||
|
|
|
||||||
|
|
@ -1946,11 +1946,14 @@ sets the password hashed using the Password-Based Key Derivation Function
|
||||||
In order to enable authentication support, the @samp{superusers} environment
|
In order to enable authentication support, the @samp{superusers} environment
|
||||||
variable must be set to a list of usernames, separated by any of spaces,
|
variable must be set to a list of usernames, separated by any of spaces,
|
||||||
commas, semicolons, pipes, or ampersands. Superusers are permitted to use
|
commas, semicolons, pipes, or ampersands. Superusers are permitted to use
|
||||||
the GRUB command line, edit menu entries, and execute any menu entry.
|
the GRUB command line, edit menu entries, and execute any menu entry. If
|
||||||
|
@samp{superusers} is set, then use of the command line is automatically
|
||||||
|
restricted to superusers.
|
||||||
|
|
||||||
Other users may be given access to specific menu entries by giving a list of
|
Other users may be given access to specific menu entries by giving a list of
|
||||||
usernames (as above) using the @kbd{--users} option to the @samp{menuentry}
|
usernames (as above) using the @option{--users} option to the
|
||||||
command (@pxref{menuentry}).
|
@samp{menuentry} command (@pxref{menuentry}). If the @option{--users}
|
||||||
|
option is not used for a menu entry, then that entry is unrestricted.
|
||||||
|
|
||||||
Putting this together, a typical @file{grub.cfg} fragment might look like
|
Putting this together, a typical @file{grub.cfg} fragment might look like
|
||||||
this:
|
this:
|
||||||
|
|
@ -1961,12 +1964,17 @@ set superusers="root"
|
||||||
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
|
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
|
||||||
password user1 insecure
|
password user1 insecure
|
||||||
|
|
||||||
menuentry "Superusers only" @{
|
menuentry "May be run by any user" @{
|
||||||
set root=(hd0,1)
|
set root=(hd0,1)
|
||||||
linux /vmlinuz
|
linux /vmlinuz
|
||||||
@}
|
@}
|
||||||
|
|
||||||
menuentry "May be run by user1" --users user1 @{
|
menuentry "Superusers only" --users "" @{
|
||||||
|
set root=(hd0,1)
|
||||||
|
linux /vmlinuz single
|
||||||
|
@}
|
||||||
|
|
||||||
|
menuentry "May be run by user1 or a superuser" --users user1 @{
|
||||||
set root=(hd0,2)
|
set root=(hd0,2)
|
||||||
chainloader +1
|
chainloader +1
|
||||||
@}
|
@}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue