I have an idea. Instead of allowing an arbitrary program path to be set, we allow a _suffix_ to be set. "telinit -e INIT_SFX=foo ; telinit u" would cause init to exec "/sbin/init.foo". Now, /sbin/init.foo can be a symlink to an executable on another filesystem, so this should provide the same capability as INIT_PROG; but because it is done via a symlink on the same filesystem as /sbin/init, the administrator has control over what init can exec. If /sbin is on a read-only filesystem and there are no /sbin/init.* then the feature is effectively disabled.
I can see two possible pitfalls. First, if /sbin/init.alt is a symlink to /alt/init and /sbin/init execs /sbin/init.alt, does this keep /sbin's filesystem busy? If so then we can code init to use readlink(2) to get the target of /sbin/init.alt and exec that target instead of /sbin/init.alt itself. Second, if /sbin/init execs /alt/init (via /sbin/init.alt) and /sbin is unmounted then /sbin/init.alt is no longer visible; so init will not be able to re-exec itself a second time. Would this be a problem? -- Thomas Hood -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
