diff options
| author | Jesse Keating <jkeating@redhat.com> | 2012-07-20 12:35:33 -0700 |
|---|---|---|
| committer | Jesse Keating <jkeating@redhat.com> | 2012-07-20 12:52:26 -0700 |
| commit | 89f4c56f317951a3f1beac94ac16c6b292ff0f61 (patch) | |
| tree | 02809dece63ac4e39b8fcca464f989f2391aba89 /pyanaconda/bootloader.py | |
| parent | ba065e63fa3da1d3df79720dbbdf10588942af52 (diff) | |
| download | anaconda-89f4c56f317951a3f1beac94ac16c6b292ff0f61.tar.gz anaconda-89f4c56f317951a3f1beac94ac16c6b292ff0f61.tar.xz anaconda-89f4c56f317951a3f1beac94ac16c6b292ff0f61.zip | |
Disable dracut debug shell when password protected (#752966)
Dracut debug shell gives users root like access, without a password.
This is not a good thing if the admin has decided that the system should
have a password protected boot loader. So for boot loaders that support
password protection, we should also add the rd.shell=0 flag to the boot
arguments to prevent the user from gaining root level access.
Diffstat (limited to 'pyanaconda/bootloader.py')
| -rw-r--r-- | pyanaconda/bootloader.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/pyanaconda/bootloader.py b/pyanaconda/bootloader.py index f375f5bd3..b10c25b0d 100644 --- a/pyanaconda/bootloader.py +++ b/pyanaconda/bootloader.py @@ -1682,6 +1682,10 @@ class GRUB2(GRUB): def write_config(self): self.write_config_console(None) + # See if we have a password and if so update the boot args before we + # write out the defaults file. + if self.password or self.encrypted_password: + self.boot_args.add("rd.shell=0") self.write_defaults() # if we fail to setup password auth we should complete the @@ -1865,6 +1869,8 @@ class YabootSILOBase(BootLoader): continue args = Arguments() + if self.password or self.encrypted_password: + args.add("rd.shell=0") if image.initrd: initrd_line = "\tinitrd=%s/%s\n" % (self.boot_prefix, image.initrd) |