В Thu, 11 Jun 2015 11:13:01 +0800 Michael Chang <mch...@suse.com> пишет:
> On Mon, Jun 01, 2015 at 11:35:49AM +0800, Michael Chang wrote: > > On Sat, May 30, 2015 at 10:39:06AM +0300, Andrei Borzenkov wrote: > > > В Tue, 26 May 2015 15:53:14 +0800 > > > Michael Chang <mch...@suse.com> пишет: > > > > > > > This patch provides settings in simple configuration interface that can > > > > set > > > > common options to menuentry. One of the use cases is specifying the > > > > security > > > > settings thus it won't be overwritten by grub-mkconfig. For eg. > > > > > > > > GRUB_MENU_ENTRY_OPTION_LINUX="--unrestricted" > > > > GRUB_MENU_ENTRY_OPTION_OSPROBER="--users user1" > > > > > > > > > > I'm not sure. I actually feel like configurations that need detailed > > > per user authorizations simply do not fit into simplistic > > > grub-mkconfig. Next someone will miss per-menuentry user list. > > > > Thanks for comment. I'm also not sure as per menu entry options not fit > > well with global options context provided by simple interface. But from > > my understanding, generic options settings maybe more welcome from > > upstream POV, so that's why I send it here as RFC patch. :) > > > > > > > > Most common request is really to allow menu boot while restricting > > > command line, so I think that adding support for this to grub-mkconfig > > > would be fine. > > > > Yes. We have quite many users request the password protection to work > > the same way as legacy grub, that is actually what --unrestricted could > > provide them, but they need to manually patch grub scripts to keep their > > settings persist as currently distribution tools have no way to > > integrate it by lacking of inteface in simple config. We can extend that > > on our own, of course, but it seems better to coordinated on upstream if > > possible. > > > > How do you think proposed option like this ? > > > > GRUB_UNRESTRICTED_MENU_ENTRY="true" > > Hi Andrei, > > Do you have any comment on the new setting? I am absolutely happy to > work on the patch if it's the way to go. > > If not, do you have any other recommends or be it a down-stream settings > is more feasible here ? > What I do not like in all this - such option requires explicit support in grub.d script. IOW by adding such an option we make promise to make all menu entries unrestricted, which we cannot hold. It is not true for most other options which are either interpreted by core or apply to specific scripts, so no global expectations. Exceptions are GRUB_DISTRIBUTOR GRUB_DISABLE_RECOVERY which are unfortunate. But GRUB_DISTRIBUTOR is advisory-only, so it is OK. Also there are GRUB legacy and syslinux generated menu entries which would not be covered here at all. Note that default in the past was unrestricted. I tried to find rationale for changing it, but could not really. There is http://marc.info/?t=139175165000018&r=1&w=2 without explanation why it was error prone. Vladimir, what about adding unrestricted_menu=y environment variable that could then be set in 00_header using GRUB_UNRESTRICTED_MENU option? This would allow users to globally turn it on/off for all menu entries. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
