Gentoo Archives: gentoo-releng

From: Brad House <brad_mssw@g.o>
To: Martin Schlemmer <azarah@g.o>
Cc: gentoo-releng@l.g.o
Subject: Re: [gentoo-releng] Re: baselayout changes for livecds
Date: Sat, 17 Jan 2004 20:58:02
Message-Id: 65000.68.105.173.45.1074373079.squirrel@mail.mainstreetsoftworks.com
In Reply to: Re: [gentoo-releng] Re: baselayout changes for livecds by Martin Schlemmer
well, I hate to tell you, but 99% of the patch deals with stuff
not related to the kernel reading cdroot off the command
line.  Also, CDBOOT was being put to the end of the rc.conf already,
but it did not appear to work, and we are using the cdroot command
line already specific to genkernel's initrd, so it was a non-wasteful
way to implement it.

I don't have time to argue on this stuff.  The patch is sane,
it needs to be committed, yes there are other ways to do it,
but unless you have another option real soon,
that is tested and works, we're going to need something
in baselayout.

Azarah, did you not get my patches? Have you looked at them?

-Brad

> On Sat, 2004-01-17 at 20:29, Paul de Vrieze wrote: >> On Saturday 17 January 2004 18:06, Brad House wrote: >> > no, the rcscripts must now parse the kernel commandline opts >> > to get a few options. There's really not many other ways to >> > do it. Besides you just proved by your statement that someone >> > could instead pass init=/bin/sh and override any sort of >> > init process, so trying to make the 'cdroot' option secure >> > is obsurd, as there's 10 million other ways to get in if you >> > have direct access to the computer. >> >> The big difference is that init=/bin/sh does not give you a normal >> working >> system, cdboot however could be abused to get a normal functioning >> passwordless console. That would allow incapable systemadmins to decide >> to do >> this, or even tell others to do it (the latter I want to prevent). >> > > I _did_ say it already, but you apparently did not want to listen - the > kernel opts is not needed, as there is no need to be dynamic. Its > either a livecd or not. And as Paul did mention, it might be open for > exploit, although 'init=/bin/bash' will work as well. > > The baselayout ebuild will be modified to do changes if USE=livecd, as > it is sane, and I imagine some other things will need special livecd > tweaking as well. Meaning, if USE=livecd, pkg_postinst() will > 'echo CDBOOT=1 >> ${ROOT}/etc/rc.conf', and do whatever else. > > > Thanks, > > -- > > Martin Schlemmer > Gentoo Linux Developer, Desktop/System Team Developer > Cape Town, South Africa > > >
-- gentoo-releng@g.o mailing list