From 93a7a32babe618a8ae69a1085df78329820c1c85 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 9 Jan 2013 22:31:57 +0100
Subject: [PATCH] initrd: Don't enable the root shell by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Starting an authenticated root shell is a security hole, so don't do
it by default.  The kernel command line parameter
‘initrd.shell_on_fail’ restores the original.  (Of course, this only
improves security if you have a password on GRUB to prevent the kernel
command line from being edited by unauthorized users.)
---
 doc/manual/troubleshooting.xml      | 15 ++++++-
 modules/system/boot/stage-1-init.sh | 63 ++++++++++++++++-------------
 2 files changed, 48 insertions(+), 30 deletions(-)

diff --git a/doc/manual/troubleshooting.xml b/doc/manual/troubleshooting.xml
index f18ca9f4c5c7..4d5c5994fc84 100644
--- a/doc/manual/troubleshooting.xml
+++ b/doc/manual/troubleshooting.xml
@@ -16,15 +16,26 @@ systemd:
 
 <variablelist>
 
+  <varlistentry><term><literal>initrd.shell_on_fail</literal></term>
+    <listitem><para>Start a root shell if something goes wrong in
+    stage 1 of the boot process (the initial ramdisk).  This is
+    disabled by default because there is no authentication for the
+    root shell.</para></listitem>
+  </varlistentry>
+
   <varlistentry><term><literal>debug1</literal></term>
-    <listitem><para>Request an interactive shell in stage 1 of the
-    boot process (the initial ramdisk).  The shell gets started before
+    <listitem><para>Start an interactive shell in stage 1 before
     anything useful has been done.  That is, no modules have been
     loaded and no file systems have been mounted, except for
     <filename>/proc</filename> and
     <filename>/sys</filename>.</para></listitem>
   </varlistentry>
 
+  <varlistentry><term><literal>debugtrace</literal></term>
+    <listitem><para>Print every shell command executed by the stage 1
+    and 2 boot scripts.</para></listitem>
+  </varlistentry>
+
   <varlistentry><term><literal>single</literal></term>
     <listitem><para>Boot into rescue mode (a.k.a. single user mode).
     This will cause systemd to start nothing but the unit
diff --git a/modules/system/boot/stage-1-init.sh b/modules/system/boot/stage-1-init.sh
index 778e36cfd36e..c1e46956f6e1 100644
--- a/modules/system/boot/stage-1-init.sh
+++ b/modules/system/boot/stage-1-init.sh
@@ -1,6 +1,7 @@
 #! @shell@
 
 targetRoot=/mnt-root
+console=tty1
 
 export LD_LIBRARY_PATH=@extraUtils@/lib
 export PATH=@extraUtils@/bin:@extraUtils@/sbin
@@ -17,37 +18,31 @@ An error occured in stage 1 of the boot process, which must mount the
 root filesystem on \`$targetRoot' and then start stage 2.  Press one
 of the following keys:
 
-  i) to launch an interactive shell;
+EOF
+    if [ -n "$allowShell" ]; then cat <<EOF
+  i) to launch an interactive shell
   f) to start an interactive shell having pid 1 (needed if you want to
-     start stage 2's init manually); or
-  *) to ignore the error and continue.
+     start stage 2's init manually)
+EOF
+    fi
+    cat <<EOF
+  r) to reboot immediately
+  *) to ignore the error and continue
 EOF
 
     read reply
 
-    # Get the console from the kernel cmdline
-    console=tty1
-    for o in $(cat /proc/cmdline); do
-      case $o in
-        console=*)
-          set -- $(IFS==; echo $o)
-          params=$2
-          set -- $(IFS=,; echo $params)
-          console=$1
-          ;;
-      esac
-    done
-
-    case $reply in
-        f)
-            exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" ;;
-        i)
-            echo "Starting interactive shell..."
-            setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
-            ;;
-        *)
-            echo "Continuing...";;
-    esac
+    if [ -n "$allowShell" -a "$reply" = f ]; then
+        exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console"
+    elif [ -n "$allowShell" -a "$reply" = i ]; then
+        echo "Starting interactive shell..."
+        setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
+    elif [ "$reply" = r ]; then
+        echo "Rebooting..."
+        reboot -f
+    else
+        echo "Continuing..."
+    fi
 }
 
 trap 'fail' 0
@@ -76,6 +71,12 @@ mount -t securityfs none /sys/kernel/security
 export stage2Init=/init
 for o in $(cat /proc/cmdline); do
     case $o in
+        console=*)
+            set -- $(IFS==; echo $o)
+            params=$2
+            set -- $(IFS=,; echo $params)
+            console=$1
+            ;;
         init=*)
             set -- $(IFS==; echo $o)
             stage2Init=$2
@@ -84,13 +85,19 @@ for o in $(cat /proc/cmdline); do
             # Show each command.
             set -x
             ;;
+        initrd.shell_on_fail)
+            allowShell=1
+            ;;
         debug1) # stop right away
+            allowShell=1
             fail
             ;;
         debug1devices) # stop after loading modules and creating device nodes
+            allowShell=1
             debug1devices=1
             ;;
         debug1mounts) # stop after mounting file systems
+            allowShell=1
             debug1mounts=1
             ;;
         stage1panic=1)
@@ -180,7 +187,7 @@ onACPower() {
 checkFS() {
     local device="$1"
     local fsType="$2"
-    
+
     # Only check block devices.
     if [ ! -b "$device" ]; then return 0; fi
 
@@ -219,7 +226,7 @@ checkFS() {
     if test $(($fsckResult | 2)) = $fsckResult; then
         echo "fsck finished, rebooting..."
         sleep 3
-        reboot
+        reboot -f
     fi
 
     if test $(($fsckResult | 4)) = $fsckResult; then