mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-29 17:10:48 +00:00
initrd: Don't enable the root shell by default
Starting an authenticated root shell is a security hole, so don't do it by default. The kernel command line parameter ‘initrd.shell_on_fail’ restores the original. (Of course, this only improves security if you have a password on GRUB to prevent the kernel command line from being edited by unauthorized users.)
This commit is contained in:
parent
91bead9c18
commit
93a7a32bab
|
@ -16,15 +16,26 @@ systemd:
|
|||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry><term><literal>initrd.shell_on_fail</literal></term>
|
||||
<listitem><para>Start a root shell if something goes wrong in
|
||||
stage 1 of the boot process (the initial ramdisk). This is
|
||||
disabled by default because there is no authentication for the
|
||||
root shell.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term><literal>debug1</literal></term>
|
||||
<listitem><para>Request an interactive shell in stage 1 of the
|
||||
boot process (the initial ramdisk). The shell gets started before
|
||||
<listitem><para>Start an interactive shell in stage 1 before
|
||||
anything useful has been done. That is, no modules have been
|
||||
loaded and no file systems have been mounted, except for
|
||||
<filename>/proc</filename> and
|
||||
<filename>/sys</filename>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term><literal>debugtrace</literal></term>
|
||||
<listitem><para>Print every shell command executed by the stage 1
|
||||
and 2 boot scripts.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term><literal>single</literal></term>
|
||||
<listitem><para>Boot into rescue mode (a.k.a. single user mode).
|
||||
This will cause systemd to start nothing but the unit
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#! @shell@
|
||||
|
||||
targetRoot=/mnt-root
|
||||
console=tty1
|
||||
|
||||
export LD_LIBRARY_PATH=@extraUtils@/lib
|
||||
export PATH=@extraUtils@/bin:@extraUtils@/sbin
|
||||
|
@ -17,37 +18,31 @@ An error occured in stage 1 of the boot process, which must mount the
|
|||
root filesystem on \`$targetRoot' and then start stage 2. Press one
|
||||
of the following keys:
|
||||
|
||||
i) to launch an interactive shell;
|
||||
EOF
|
||||
if [ -n "$allowShell" ]; then cat <<EOF
|
||||
i) to launch an interactive shell
|
||||
f) to start an interactive shell having pid 1 (needed if you want to
|
||||
start stage 2's init manually); or
|
||||
*) to ignore the error and continue.
|
||||
start stage 2's init manually)
|
||||
EOF
|
||||
fi
|
||||
cat <<EOF
|
||||
r) to reboot immediately
|
||||
*) to ignore the error and continue
|
||||
EOF
|
||||
|
||||
read reply
|
||||
|
||||
# Get the console from the kernel cmdline
|
||||
console=tty1
|
||||
for o in $(cat /proc/cmdline); do
|
||||
case $o in
|
||||
console=*)
|
||||
set -- $(IFS==; echo $o)
|
||||
params=$2
|
||||
set -- $(IFS=,; echo $params)
|
||||
console=$1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
case $reply in
|
||||
f)
|
||||
exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" ;;
|
||||
i)
|
||||
if [ -n "$allowShell" -a "$reply" = f ]; then
|
||||
exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console"
|
||||
elif [ -n "$allowShell" -a "$reply" = i ]; then
|
||||
echo "Starting interactive shell..."
|
||||
setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
|
||||
;;
|
||||
*)
|
||||
echo "Continuing...";;
|
||||
esac
|
||||
elif [ "$reply" = r ]; then
|
||||
echo "Rebooting..."
|
||||
reboot -f
|
||||
else
|
||||
echo "Continuing..."
|
||||
fi
|
||||
}
|
||||
|
||||
trap 'fail' 0
|
||||
|
@ -76,6 +71,12 @@ mount -t securityfs none /sys/kernel/security
|
|||
export stage2Init=/init
|
||||
for o in $(cat /proc/cmdline); do
|
||||
case $o in
|
||||
console=*)
|
||||
set -- $(IFS==; echo $o)
|
||||
params=$2
|
||||
set -- $(IFS=,; echo $params)
|
||||
console=$1
|
||||
;;
|
||||
init=*)
|
||||
set -- $(IFS==; echo $o)
|
||||
stage2Init=$2
|
||||
|
@ -84,13 +85,19 @@ for o in $(cat /proc/cmdline); do
|
|||
# Show each command.
|
||||
set -x
|
||||
;;
|
||||
initrd.shell_on_fail)
|
||||
allowShell=1
|
||||
;;
|
||||
debug1) # stop right away
|
||||
allowShell=1
|
||||
fail
|
||||
;;
|
||||
debug1devices) # stop after loading modules and creating device nodes
|
||||
allowShell=1
|
||||
debug1devices=1
|
||||
;;
|
||||
debug1mounts) # stop after mounting file systems
|
||||
allowShell=1
|
||||
debug1mounts=1
|
||||
;;
|
||||
stage1panic=1)
|
||||
|
@ -219,7 +226,7 @@ checkFS() {
|
|||
if test $(($fsckResult | 2)) = $fsckResult; then
|
||||
echo "fsck finished, rebooting..."
|
||||
sleep 3
|
||||
reboot
|
||||
reboot -f
|
||||
fi
|
||||
|
||||
if test $(($fsckResult | 4)) = $fsckResult; then
|
||||
|
|
Loading…
Reference in a new issue