On Monday 30 November 2009 15:43:26 Bill Nottingham wrote:
Gene Czarcinski (gene(a)czarc.net) said:
> Keep it simple (KISS) for the initial attempt. It will grow more
> complicated all by itself as time passes.
>
> BTW, the security policy should assume that a grub password is in use so
> that a user cannot do something like disabling selinux by editing the
> kernel command line. This should be tested by the security QA.
That seems very broken. A security policy that is violated on every
single out of the box install that doesn't do customization?
Agreed ... it is broken.
As I see it, the problem is that without a grub password, then an un-
privileged user can edit the command line to disable selinux or bootup in
single user mode.
On the other hand, there is also "good enough" versus perfect. In a perfect
world, a user would (by default) be required to enter that password. In a
"good enough" world, have the option to set the password.
A "split the difference" (better) world (this is a change from existing
implementation): have the grub password default to being root's password.
[I have not tested this in install but I assume that root's password cannot be
null.]
I do not want to see the goal for Fedora to be perfect ... simply "good
enough".
Gene