+2010-06-08 Colin Watson <cjwatson@ubuntu.com>
+
+ * docs/grub.texi (Security): Menu entries are unrestricted by
+ default, not restricted to superusers as I had previously thought.
+ Reword to account for this.
+
2010-06-07 Colin Watson <cjwatson@ubuntu.com>
* kern/emu/misc.c (device_mapper_null_log): New function.
In order to enable authentication support, the @samp{superusers} environment
variable must be set to a list of usernames, separated by any of spaces,
commas, semicolons, pipes, or ampersands. Superusers are permitted to use
-the GRUB command line, edit menu entries, and execute any menu entry.
+the GRUB command line, edit menu entries, and execute any menu entry. If
+@samp{superusers} is set, then use of the command line is automatically
+restricted to superusers.
Other users may be given access to specific menu entries by giving a list of
-usernames (as above) using the @kbd{--users} option to the @samp{menuentry}
-command (@pxref{menuentry}).
+usernames (as above) using the @option{--users} option to the
+@samp{menuentry} command (@pxref{menuentry}). If the @option{--users}
+option is not used for a menu entry, then that entry is unrestricted.
Putting this together, a typical @file{grub.cfg} fragment might look like
this:
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure
-menuentry "Superusers only" @{
+menuentry "May be run by any user" @{
set root=(hd0,1)
linux /vmlinuz
@}
-menuentry "May be run by user1" --users user1 @{
+menuentry "Superusers only" --users "" @{
+ set root=(hd0,1)
+ linux /vmlinuz single
+@}
+
+menuentry "May be run by user1 or a superuser" --users user1 @{
set root=(hd0,2)
chainloader +1
@}
projects / thirdparty / grub.git / commitdiff
