From: Harald Hoyer <harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Jeremy Katz <katzj-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 10/10] add "rdshell" command line argument
Date: Mon, 13 Jul 2009 12:29:41 +0200 [thread overview]
Message-ID: <4A5B0C95.3030609@redhat.com> (raw)
In-Reply-To: <20090706015313.GA70037-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On 07/06/2009 03:53 AM, Jeremy Katz wrote:
> On Friday, July 03 2009, Harald Hoyer said:
>> Only drop to an interactive shell if "rdshell" is specified on the
>> command line. This prevents malicious users from gaining easy shell
>> access to the host system (grub might be secured with a password).
>
> I don't have a strong opinion about doing this vs not, but how could
> they end up getting easy shell access? If grub is secured with a
> password, they can't change kernel arguments. If they can change kernel
> arguments, they can just add rdshell rather than change the root=
> specifier.
>
> Jeremy
If root is on a network device, they can just unplug the network cable and end
up with a shell, then they can replug the cable and do whatever they want in the
shell.
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-07-13 10:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-03 16:45 [PATCH 00/10] *** SUBJECT HERE *** Harald Hoyer
[not found] ` <1246639520-3094-1-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-03 16:45 ` [PATCH 01/10] add binutiles requirement to specfile (because of nm) Harald Hoyer
2009-07-03 16:45 ` [PATCH 02/10] output everything to /dev/kmesg and add dmesg for the emergency_shell Harald Hoyer
[not found] ` <1246639520-3094-3-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-03 18:11 ` David Dillow
[not found] ` <1246644686.13823.5.camel-1q1vX8mYZiGLUyTwlgNVppKKF0rrzTr+@public.gmane.org>
2009-07-03 18:14 ` Harald Hoyer
2009-07-03 16:45 ` [PATCH 03/10] Defer mount to the real mount loop Harald Hoyer
[not found] ` <1246639520-3094-4-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-04 12:29 ` Seewer Philippe
[not found] ` <4A4F4B41.2060205-omB+W0Dpw2o@public.gmane.org>
2009-07-13 10:21 ` Harald Hoyer
2009-07-03 16:45 ` [PATCH 04/10] remove 50plymouth-pre0.7 module Harald Hoyer
2009-07-03 16:45 ` [PATCH 05/10] add firmware packages to be required by the dracut-generic package Harald Hoyer
2009-07-03 16:45 ` [PATCH 06/10] add rm to be installed for initqueue Harald Hoyer
2009-07-03 16:45 ` [PATCH 07/10] fail iscsiroot, if iscsistart fails Harald Hoyer
2009-07-03 16:45 ` [PATCH 08/10] put back the nfs mount in the udev event Harald Hoyer
[not found] ` <1246639520-3094-9-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-06 8:39 ` Seewer Philippe
2009-07-03 16:45 ` [PATCH 09/10] initqueue now loops until /dev/root exists or root is mounted Harald Hoyer
[not found] ` <1246639520-3094-10-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-06 8:54 ` Seewer Philippe
[not found] ` <4A51BBE0.6030603-omB+W0Dpw2o@public.gmane.org>
2009-07-13 9:53 ` Harald Hoyer
2009-07-03 16:45 ` [PATCH 10/10] add "rdshell" command line argument Harald Hoyer
[not found] ` <1246639520-3094-11-git-send-email-harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-06 1:53 ` Jeremy Katz
[not found] ` <20090706015313.GA70037-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-07-13 10:29 ` Harald Hoyer [this message]
2009-07-13 10:30 ` Harald Hoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A5B0C95.3030609@redhat.com \
--to=harald-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=katzj-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox