[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC] Support menuentry options in simple configuration interface
|
From: |
Andrei Borzenkov |
|
Subject: |
Re: [RFC] Support menuentry options in simple configuration interface |
|
Date: |
Fri, 12 Jun 2015 07:59:19 +0300 |
В Thu, 11 Jun 2015 11:13:01 +0800
Michael Chang <address@hidden> пишет:
> On Mon, Jun 01, 2015 at 11:35:49AM +0800, Michael Chang wrote:
> > On Sat, May 30, 2015 at 10:39:06AM +0300, Andrei Borzenkov wrote:
> > > В Tue, 26 May 2015 15:53:14 +0800
> > > Michael Chang <address@hidden> пишет:
> > >
> > > > This patch provides settings in simple configuration interface that can
> > > > set
> > > > common options to menuentry. One of the use cases is specifying the
> > > > security
> > > > settings thus it won't be overwritten by grub-mkconfig. For eg.
> > > >
> > > > GRUB_MENU_ENTRY_OPTION_LINUX="--unrestricted"
> > > > GRUB_MENU_ENTRY_OPTION_OSPROBER="--users user1"
> > > >
> > >
> > > I'm not sure. I actually feel like configurations that need detailed
> > > per user authorizations simply do not fit into simplistic
> > > grub-mkconfig. Next someone will miss per-menuentry user list.
> >
> > Thanks for comment. I'm also not sure as per menu entry options not fit
> > well with global options context provided by simple interface. But from
> > my understanding, generic options settings maybe more welcome from
> > upstream POV, so that's why I send it here as RFC patch. :)
> >
> > >
> > > Most common request is really to allow menu boot while restricting
> > > command line, so I think that adding support for this to grub-mkconfig
> > > would be fine.
> >
> > Yes. We have quite many users request the password protection to work
> > the same way as legacy grub, that is actually what --unrestricted could
> > provide them, but they need to manually patch grub scripts to keep their
> > settings persist as currently distribution tools have no way to
> > integrate it by lacking of inteface in simple config. We can extend that
> > on our own, of course, but it seems better to coordinated on upstream if
> > possible.
> >
> > How do you think proposed option like this ?
> >
> > GRUB_UNRESTRICTED_MENU_ENTRY="true"
>
> Hi Andrei,
>
> Do you have any comment on the new setting? I am absolutely happy to
> work on the patch if it's the way to go.
>
> If not, do you have any other recommends or be it a down-stream settings
> is more feasible here ?
>
What I do not like in all this - such option requires explicit support
in grub.d script. IOW by adding such an option we make promise to make
all menu entries unrestricted, which we cannot hold.
It is not true for most other options which are either interpreted by
core or apply to specific scripts, so no global expectations. Exceptions
are
GRUB_DISTRIBUTOR
GRUB_DISABLE_RECOVERY
which are unfortunate. But GRUB_DISTRIBUTOR is advisory-only, so it is
OK.
Also there are GRUB legacy and syslinux generated menu entries which
would not be covered here at all.
Note that default in the past was unrestricted. I tried to find
rationale for changing it, but could not really. There is
http://marc.info/?t=139175165000018&r=1&w=2
without explanation why it was error prone.
Vladimir, what about adding unrestricted_menu=y environment variable
that could then be set in 00_header using GRUB_UNRESTRICTED_MENU
option? This would allow users to globally turn it on/off for all menu
entries.