From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1Z3H3y-0004BW-Fd for mharc-grub-devel@gnu.org; Fri, 12 Jun 2015 00:59:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38381) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z3H3v-00048X-Pc for grub-devel@gnu.org; Fri, 12 Jun 2015 00:59:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z3H3s-0007St-IV for grub-devel@gnu.org; Fri, 12 Jun 2015 00:59:27 -0400 Received: from mail-lb0-x234.google.com ([2a00:1450:4010:c04::234]:34706) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z3H3s-0007Sk-AB for grub-devel@gnu.org; Fri, 12 Jun 2015 00:59:24 -0400 Received: by lbcmx3 with SMTP id mx3so13517364lbc.1 for ; Thu, 11 Jun 2015 21:59:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; bh=fTarHPwFXh1NaMf3PQFlrbUVR6l5quayU2YAHl+rqWs=; b=rEfVVGBHxL9/52PIdBWQ6RS/qU7KV1H0j9tQYQ1B+F/s7jhR2Lwrh7a4yXb9fEcA08 3MFKC+NY6MQmEKOxpYKdQ4ir00HijOZhQdaipkvkloreEg74LtJkPbhl5RpmabHEzpT7 i0gsAeTwzQlyWrqki7a3zsO/PCqaHh3sDr5FuywObaFGMMw2Wehg/CttAcYljWxRDlVe C/He9gbqy/VbOySr38aWAqoOZV1QCnmuo4anarzuJIi0KJ4VzDU8Vn6DFJGL9i2B/KmL M2XKYnloVqvAIWfGjE1Q1Wo57TT0/JxRb9dxNFoZuCtQnU1nXH/mJidMXwM4hEGIuw6D 2VGw== X-Received: by 10.152.198.135 with SMTP id jc7mr13162928lac.48.1434085162528; Thu, 11 Jun 2015 21:59:22 -0700 (PDT) Received: from opensuse.site (ppp91-76-14-38.pppoe.mtu-net.ru. [91.76.14.38]) by mx.google.com with ESMTPSA id c5sm605433lbd.49.2015.06.11.21.59.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Jun 2015 21:59:21 -0700 (PDT) Date: Fri, 12 Jun 2015 07:59:19 +0300 From: Andrei Borzenkov To: Michael Chang Subject: Re: [RFC] Support menuentry options in simple configuration interface Message-ID: <20150612075919.65ce64fb@opensuse.site> In-Reply-To: <20150611031301.GB26646@linux-dsax.tai.apac.novell.com> References: <1432626794-18469-1-git-send-email-mchang@suse.com> <20150530103906.60110e8c@opensuse.site> <20150601033549.GA7379@linux-dsax.tai.apac.novell.com> <20150611031301.GB26646@linux-dsax.tai.apac.novell.com> X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.28; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c04::234 Cc: The development of GNU GRUB X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 04:59:29 -0000 =D0=92 Thu, 11 Jun 2015 11:13:01 +0800 Michael Chang =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > On Mon, Jun 01, 2015 at 11:35:49AM +0800, Michael Chang wrote: > > On Sat, May 30, 2015 at 10:39:06AM +0300, Andrei Borzenkov wrote: > > > =D0=92 Tue, 26 May 2015 15:53:14 +0800 > > > Michael Chang =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > >=20 > > > > This patch provides settings in simple configuration interface that= can set > > > > common options to menuentry. One of the use cases is specifying the= security > > > > settings thus it won't be overwritten by grub-mkconfig. For eg. > > > >=20 > > > > GRUB_MENU_ENTRY_OPTION_LINUX=3D"--unrestricted" > > > > GRUB_MENU_ENTRY_OPTION_OSPROBER=3D"--users user1" > > > >=20 > > >=20 > > > I'm not sure. I actually feel like configurations that need detailed > > > per user authorizations simply do not fit into simplistic > > > grub-mkconfig. Next someone will miss per-menuentry user list. > >=20 > > Thanks for comment. I'm also not sure as per menu entry options not fit > > well with global options context provided by simple interface. But from > > my understanding, generic options settings maybe more welcome from > > upstream POV, so that's why I send it here as RFC patch. :) > >=20 > > >=20 > > > Most common request is really to allow menu boot while restricting > > > command line, so I think that adding support for this to grub-mkconfig > > > would be fine.=20 > >=20 > > Yes. We have quite many users request the password protection to work > > the same way as legacy grub, that is actually what --unrestricted could > > provide them, but they need to manually patch grub scripts to keep their > > settings persist as currently distribution tools have no way to > > integrate it by lacking of inteface in simple config. We can extend that > > on our own, of course, but it seems better to coordinated on upstream if > > possible. > >=20 > > How do you think proposed option like this ? > >=20 > > GRUB_UNRESTRICTED_MENU_ENTRY=3D"true" >=20 > Hi Andrei, >=20 > Do you have any comment on the new setting? I am absolutely happy to > work on the patch if it's the way to go. >=20 > If not, do you have any other recommends or be it a down-stream settings > is more feasible here ? >=20 What I do not like in all this - such option requires explicit support in grub.d script. IOW by adding such an option we make promise to make all menu entries unrestricted, which we cannot hold. It is not true for most other options which are either interpreted by core or apply to specific scripts, so no global expectations. Exceptions are GRUB_DISTRIBUTOR GRUB_DISABLE_RECOVERY which are unfortunate. But GRUB_DISTRIBUTOR is advisory-only, so it is OK. Also there are GRUB legacy and syslinux generated menu entries which would not be covered here at all. Note that default in the past was unrestricted. I tried to find rationale for changing it, but could not really. There is http://marc.info/?t=3D139175165000018&r=3D1&w=3D2 without explanation why it was error prone. Vladimir, what about adding unrestricted_menu=3Dy environment variable that could then be set in 00_header using GRUB_UNRESTRICTED_MENU option? This would allow users to globally turn it on/off for all menu entries.