On Monday 30 November 2009 15:43:26 Bill Nottingham wrote:
Gene Czarcinski (gene@czarc.net) said:
Keep it simple (KISS) for the initial attempt. It will grow more complicated all by itself as time passes.
BTW, the security policy should assume that a grub password is in use so that a user cannot do something like disabling selinux by editing the kernel command line. This should be tested by the security QA.
That seems very broken. A security policy that is violated on every single out of the box install that doesn't do customization?
Agreed ... it is broken.
As I see it, the problem is that without a grub password, then an un- privileged user can edit the command line to disable selinux or bootup in single user mode.
On the other hand, there is also "good enough" versus perfect. In a perfect world, a user would (by default) be required to enter that password. In a "good enough" world, have the option to set the password.
A "split the difference" (better) world (this is a change from existing implementation): have the grub password default to being root's password.
[I have not tested this in install but I assume that root's password cannot be null.]
I do not want to see the goal for Fedora to be perfect ... simply "good enough".
Gene