Dracut debug shell gives users root like access, without a password. This is not a good thing if the admin has decided that the system should have a password protected boot loader. So for boot loaders that support password protection, we should also add the rd.shell=0 flag to the boot arguments to prevent the user from gaining root level access. --- pyanaconda/bootloader.py | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/pyanaconda/bootloader.py b/pyanaconda/bootloader.py index f375f5b..b10c25b 100644 --- a/pyanaconda/bootloader.py +++ b/pyanaconda/bootloader.py @@ -1682,6 +1682,10 @@ class GRUB2(GRUB):
def write_config(self): self.write_config_console(None) + # See if we have a password and if so update the boot args before we + # write out the defaults file. + if self.password or self.encrypted_password: + self.boot_args.add("rd.shell=0") self.write_defaults()
# if we fail to setup password auth we should complete the @@ -1865,6 +1869,8 @@ class YabootSILOBase(BootLoader): continue
args = Arguments() + if self.password or self.encrypted_password: + args.add("rd.shell=0") if image.initrd: initrd_line = "\tinitrd=%s/%s\n" % (self.boot_prefix, image.initrd)
ack
----- Original Message -----
Dracut debug shell gives users root like access, without a password. This is not a good thing if the admin has decided that the system should have a password protected boot loader. So for boot loaders that support password protection, we should also add the rd.shell=0 flag to the boot arguments to prevent the user from gaining root level access.
pyanaconda/bootloader.py | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/pyanaconda/bootloader.py b/pyanaconda/bootloader.py index f375f5b..b10c25b 100644 --- a/pyanaconda/bootloader.py +++ b/pyanaconda/bootloader.py @@ -1682,6 +1682,10 @@ class GRUB2(GRUB):
def write_config(self): self.write_config_console(None)
# See if we have a password and if so update the boot argsbefore we
# write out the defaults file.if self.password or self.encrypted_password:self.boot_args.add("rd.shell=0") self.write_defaults() # if we fail to setup password auth we should complete the@@ -1865,6 +1869,8 @@ class YabootSILOBase(BootLoader): continue
args = Arguments()
if self.password or self.encrypted_password:args.add("rd.shell=0") if image.initrd: initrd_line = "\tinitrd=%s/%s\n" % (self.boot_prefix, image.initrd)-- 1.7.10.4
anaconda-patches mailing list anaconda-patches@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/anaconda-patches
anaconda-patches@lists.fedorahosted.org
-
Jesse Keating -
Martin Gracik