08.11.2015 23:55, Vladimir 'φ-coder/phcoder' Serbinenko пишет: > On 11.06.2015 05:55, Andrei Borzenkov wrote: >> В Wed, 10 Jun 2015 21:35:51 +0200 >> "Vladimir 'phcoder' Serbinenko" пишет: >> >>> This patch may allow to escape to shell if menu was called from context >>> without menu entries. This may happen inadvertently I.a. when using >>> configfile. You need to add an additional parameter to indicate whether >>> it's OK to break from menu >> >> Could you explain? Grub does >> >> grub_enter_normal >> grub_normal_execute >> grub_show_menu >> grub_cmdline_run >> >> if after processing config file there are no menu entries we do not >> even call grub_show_menu. And even if we do, after return from it there >> is mandatory authentication in grub_cmdline_run. >> > Imagine something like following: > grub.cfg: > # Use another config file > configfile grub2.cfg > grub2.cfg: > superusers=root > .... > Then pressing escape would lead you to the parent context where there is > no password protection. > Question is whether this is a misconfiguration on grub.cfg side (i.a. > should have been source, not configfile) or something to deal on code side. OK what about attached patch? it moves authentication where it belongs - to return from nested configfile.