This looks secure if you have a BIOS password on the machine
and booting from drive A: is disabled (and there is no other
OS installed on the machine that you can select, ofcourse).
Now the latest Linux kernels include an init= option, that
lets you select the init program. Entering
init=/bin/sh
gives you an instant root shell. Also, you can set any
environment variable such as
LD_PRELOAD=/tmp/hacklib.so
that causes the /tmp/hacklib.so library to be loaded before
the first program (init) is executed.
So I sent a patch to Linus that adds a new configuration option
to the kernel compile, CONFIG_BOOT_INSECURE that only allows
the above two if that option is turned on.
Alas, Linus rejected it. This normally means he thinks it
was not a good idea. Hence the request for comment here.
Would something like this be useful? Or isn't it because there
are other boot options that can be abused to achieve the
same effect (and turning them all off would be unacceptable) ?
Or should I forget about it totally and just make a patch for
LILO that adds allowing/denying certain options at the
LILO boot prompt (so I could blacklist init= and *LD_*) ?
This would ofcourse not help people using loadlin for example.
Mike.
-- + Miquel van Smoorenburg + Cistron Internet Services + Living is a | | miquels@cistron.nl (SP6) | Independent Dutch ISP | horizontal | + miquels@drinkel.ow.org + http://www.cistron.nl/ + fall +