dracut.cmdline.7.asc: add warning about passwords on the kernel cmdline

diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc
index 5067cf72c7419c9d6d28a86e289fd7f25c0ad8ff..fa03a5a8fdfe28a90c9a928d1033adb1a1880b73 100644 (file)
--- a/dracut.cmdline.7.asc
+++ b/dracut.cmdline.7.asc
@@ -445,12 +445,22 @@ CIFS
     brackets, e.g. [2001:DB8::1]. If a username or password are not specified
 as part of the root, then they must be passed on the command line through
 cifsuser/cifspass.
++
+[WARNING]
+====
+Passwords specified on the kernel command line are visible for all users via the file _/proc/cmdline_ and via dmesg or can be sniffed on the network, when using DHCP with DHCP root-path.
+====
 
 **cifsuser=_<username>_::
     Set the cifs username, if not specified as part of the root.
 
 **cifspass=_<password>_::
     Set the cifs password, if not specified as part of the root.
++
+[WARNING]
+====
+Passwords specified on the kernel command line are visible for all users via the file _/proc/cmdline_ and via dmesg or can be sniffed on the network, when using DHCP with DHCP root-path.
+====
 
 iSCSI
 ~~~~~
@@ -473,6 +483,11 @@ If servername is an IPv6 address, it has to be put in brackets. e.g.:
 ----
 root=iscsi:[2001:DB8::1]::::iqn.2009-06.dracut:target0
 ----
++
+[WARNING]
+====
+Passwords specified on the kernel command line are visible for all users via the file _/proc/cmdline_ and via dmesg or can be sniffed on the network, when using DHCP with DHCP root-path.
+====
 
 **root=**_???_ **netroot=**iscsi:[_<username>_:_<password>_[:_<reverse>_:_<password>_]@][_<servername>_]:[_<protocol>_]:[_<port>_][:[_<iscsi_iface_name>_]:[_<netdev_name>_]]:[_<LUN>_]:_<targetname>_ ...::
     multiple netroot options allow setting up multiple iscsi disks. e.g.:
@@ -488,9 +503,19 @@ If servername is an IPv6 address, it has to be put in brackets. e.g.:
 ----
 netroot=iscsi:[2001:DB8::1]::::iqn.2009-06.dracut:target0
 ----
++
+[WARNING]
+====
+Passwords specified on the kernel command line are visible for all users via the file _/proc/cmdline_ and via dmesg or can be sniffed on the network, when using DHCP with DHCP root-path. You may want to use rd.iscsi.firmware.
+====
 
 **root=**_???_ **rd.iscsi.initiator=**_<initiator>_ **rd.iscsi.target.name=**_<target name>_  **rd.iscsi.target.ip=**_<target ip>_ **rd.iscsi.target.port=**_<target port>_ **rd.iscsi.target.group=**_<target group>_ **rd.iscsi.username=**_<username>_ **rd.iscsi.password=**_<password>_ **rd.iscsi.in.username=**_<in username>_ **rd.iscsi.in.password=**_<in password>_::
     manually specify all iscsistart parameter (see **+iscsistart --help+**)
++
+[WARNING]
+====
+Passwords specified on the kernel command line are visible for all users via the file _/proc/cmdline_ and via dmesg or can be sniffed on the network, when using DHCP with DHCP root-path. You may want to use rd.iscsi.firmware.
+====
 
 **root=**_???_ **netroot=**iscsi **rd.iscsi.firmware=1**::
  will read the iscsi parameter from the BIOS firmware
@@ -501,7 +526,7 @@ netroot=iscsi:[2001:DB8::1]::::iqn.2009-06.dracut:target0
     e.g.:
 +
 ----
-"netroot=iscsi iscsi_firmware rd.iscsi.param=node.session.timeo.replacement_timeout=30"
+"netroot=iscsi rd.iscsi.firmware=1 rd.iscsi.param=node.session.timeo.replacement_timeout=30"
 ----
 +
 will result in