meaning of absent --users prameters.

meaning of absent --users prameters.

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

Hello. Currently authentication system works as following:

menuentry "name" --users "a,b,c" {
}
Means that only superusers and users "a", "b" and "c" are permitted to
boot this menuentry. To allow only superusers to boot an entry one would
need:
menuentry "name" --users "" {
}
And absence of --users means "anyone can choose this entry".
Unfortunately this is error-prone. Does anyone oppose to change it to:
No --users: only superusers
To have an unlocked entry you have to add --unlocked

-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 293 bytes --]

Re: meaning of absent --users prameters.

[Bruce Dubbs]

Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> Hello. Currently authentication system works as following:
> 
> menuentry "name" --users "a,b,c" {
> }
> Means that only superusers and users "a", "b" and "c" are permitted to
> boot this menuentry. To allow only superusers to boot an entry one would
> need:
> menuentry "name" --users "" {
> }
> And absence of --users means "anyone can choose this entry".
> Unfortunately this is error-prone. Does anyone oppose to change it to:
> No --users: only superusers
> To have an unlocked entry you have to add --unlocked

First, what is the definition of a 'superuser'?  Where does GRUB get the 
information to make a decision.

In any case, I'd recommend

   --users: superusers only

or even

   --users: superusers
-------
   -- Bruce

Re: meaning of absent --users prameters.

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 1322 bytes --]

Bruce Dubbs wrote:
> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> Hello. Currently authentication system works as following:
>>
>> menuentry "name" --users "a,b,c" {
>> }
>> Means that only superusers and users "a", "b" and "c" are permitted to
>> boot this menuentry. To allow only superusers to boot an entry one would
>> need:
>> menuentry "name" --users "" {
>> }
>> And absence of --users means "anyone can choose this entry".
>> Unfortunately this is error-prone. Does anyone oppose to change it to:
>> No --users: only superusers
>> To have an unlocked entry you have to add --unlocked
>
> First, what is the definition of a 'superuser'?  Where does GRUB get
> the information to make a decision.
>
Superusers are set on per-configuration basis with
set superusers=<list>
these users are allowed to invoke shell and edit menu entries so there
is no reason to restrict which entries they are allowed to boot.
> In any case, I'd recommend
>
>   --users: superusers only
>
> or even
>
>   --users: superusers
I don't get what you mean
> -------
>   -- Bruce
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 293 bytes --]

Re: meaning of absent --users prameters.

[Bruce Dubbs]

Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> Bruce Dubbs wrote:
>> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>>> Hello. Currently authentication system works as following:
>>>
>>> menuentry "name" --users "a,b,c" {
>>> }
>>> Means that only superusers and users "a", "b" and "c" are permitted to
>>> boot this menuentry. To allow only superusers to boot an entry one would
>>> need:
>>> menuentry "name" --users "" {
>>> }
>>> And absence of --users means "anyone can choose this entry".
>>> Unfortunately this is error-prone. Does anyone oppose to change it to:
>>> No --users: only superusers
>>> To have an unlocked entry you have to add --unlocked
>> First, what is the definition of a 'superuser'?  Where does GRUB get
>> the information to make a decision.
>>
> Superusers are set on per-configuration basis with
> set superusers=<list>
> these users are allowed to invoke shell and edit menu entries so there
> is no reason to restrict which entries they are allowed to boot.
>> In any case, I'd recommend
>>
>>   --users: superusers only
>>
>> or even
>>
>>   --users: superusers
> I don't get what you mean

I thought you were asking about a parameter to the menuentry command

   menuentry "name" --users "a,b,c" {

I was recommending

   menuentry "name" --users superusers {

Where superusers is a keyword implying all superusers.

   -- Bruce

Re: meaning of absent --users prameters.

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 1943 bytes --]

Bruce Dubbs wrote:
> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> Bruce Dubbs wrote:
>>> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>>>> Hello. Currently authentication system works as following:
>>>>
>>>> menuentry "name" --users "a,b,c" {
>>>> }
>>>> Means that only superusers and users "a", "b" and "c" are permitted to
>>>> boot this menuentry. To allow only superusers to boot an entry one
>>>> would
>>>> need:
>>>> menuentry "name" --users "" {
>>>> }
>>>> And absence of --users means "anyone can choose this entry".
>>>> Unfortunately this is error-prone. Does anyone oppose to change it to:
>>>> No --users: only superusers
>>>> To have an unlocked entry you have to add --unlocked
>>> First, what is the definition of a 'superuser'?  Where does GRUB get
>>> the information to make a decision.
>>>
>> Superusers are set on per-configuration basis with
>> set superusers=<list>
>> these users are allowed to invoke shell and edit menu entries so there
>> is no reason to restrict which entries they are allowed to boot.
>>> In any case, I'd recommend
>>>
>>>   --users: superusers only
>>>
>>> or even
>>>
>>>   --users: superusers
>> I don't get what you mean
>
> I thought you were asking about a parameter to the menuentry command
>
>   menuentry "name" --users "a,b,c" {
>
> I was recommending
>
>   menuentry "name" --users superusers {
>
> Where superusers is a keyword implying all superusers.
>
Actually the real question is about interpretation of missing --users.
Actually your suggestion --users superusers has a problem that user
"superusers" may actually exist. BTW:
menuentry "name" --users $superusers {
is already accepted
>   -- Bruce
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 293 bytes --]

Re: meaning of absent --users prameters.

[Bruce Dubbs]

Vladimir 'φ-coder/phcoder' Serbinenko wrote:

> Actually the real question is about interpretation of missing --users.
> Actually your suggestion --users superusers has a problem that user
> "superusers" may actually exist. BTW:
> menuentry "name" --users $superusers {
> is already accepted

OK.  Sorry for the noise.

   -- Bruce

Re: meaning of absent --users prameters.

[Robert Millan]

On Sun, Dec 06, 2009 at 07:11:11PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> Hello. Currently authentication system works as following:
> 
> menuentry "name" --users "a,b,c" {
> }
> Means that only superusers and users "a", "b" and "c" are permitted to
> boot this menuentry. To allow only superusers to boot an entry one would
> need:
> menuentry "name" --users "" {
> }
> And absence of --users means "anyone can choose this entry".
> Unfortunately this is error-prone. Does anyone oppose to change it to:
> No --users: only superusers
> To have an unlocked entry you have to add --unlocked

I agree this is error-prone and encourages insecure ways of using GRUB.

However, this has the potential to render system unbootable if user made
a mistake.  I think that should be avoided too.

How about:

"--locked" == only superusers can boot
"--locked --users a,b,c" == only a,b,c and superusers can boot
"" == everyone can boot

-- 
Robert Millan

  "Be the change you want to see in the world" -- Gandhi