From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1NSxiS-0000JS-0O for mharc-grub-devel@gnu.org; Thu, 07 Jan 2010 14:08:16 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NSxiN-0000IV-FD for grub-devel@gnu.org; Thu, 07 Jan 2010 14:08:11 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1NSxiH-0000GF-81 for grub-devel@gnu.org; Thu, 07 Jan 2010 14:08:09 -0500 Received: from [199.232.76.173] (port=40418 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NSxiG-0000G6-Od for grub-devel@gnu.org; Thu, 07 Jan 2010 14:08:04 -0500 Received: from mx20.gnu.org ([199.232.41.8]:20677) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1NSxiE-0003ha-Ax for grub-devel@gnu.org; Thu, 07 Jan 2010 14:08:04 -0500 Received: from xvm-190-8.ghst.net ([217.70.190.8] helo=aybabtu.com) by mx20.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NSxga-0008Kt-Qa for grub-devel@gnu.org; Thu, 07 Jan 2010 14:06:21 -0500 Received: from [192.168.10.10] (helo=thorin) by aybabtu.com with esmtp (Exim 4.69) (envelope-from ) id 1NSxgZ-00010E-QR; Thu, 07 Jan 2010 20:06:20 +0100 Received: from rmh by thorin with local (Exim 4.69) (envelope-from ) id 1NSxgZ-0003H2-A0; Thu, 07 Jan 2010 20:06:19 +0100 Date: Thu, 7 Jan 2010 20:06:19 +0100 From: Robert Millan To: The development of GNU GRUB Message-ID: <20100107190619.GG12029@thorin> References: <4B1BF3BF.9010900@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4B1BF3BF.9010900@gmail.com> Organization: free as in freedom X-Message-Flag: Worried about Outlook viruses? Switch to Thunderbird! www.mozilla.com/thunderbird X-Debbugs-No-Ack: true User-Agent: Mutt/1.5.18 (2008-05-17) X-detected-operating-system: by mx20.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) Cc: Colin Watson Subject: Re: meaning of absent --users prameters. X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 19:08:12 -0000 On Sun, Dec 06, 2009 at 07:11:11PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote: > Hello. Currently authentication system works as following: > > menuentry "name" --users "a,b,c" { > } > Means that only superusers and users "a", "b" and "c" are permitted to > boot this menuentry. To allow only superusers to boot an entry one would > need: > menuentry "name" --users "" { > } > And absence of --users means "anyone can choose this entry". > Unfortunately this is error-prone. Does anyone oppose to change it to: > No --users: only superusers > To have an unlocked entry you have to add --unlocked I agree this is error-prone and encourages insecure ways of using GRUB. However, this has the potential to render system unbootable if user made a mistake. I think that should be avoided too. How about: "--locked" == only superusers can boot "--locked --users a,b,c" == only a,b,c and superusers can boot "" == everyone can boot -- Robert Millan "Be the change you want to see in the world" -- Gandhi