Re: meaning of absent --users prameters.

[Vladimir 'φ-coder/phcoder' Serbinenko]

Bruce Dubbs wrote:
> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> Bruce Dubbs wrote:
>>> Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>>>> Hello. Currently authentication system works as following:
>>>>
>>>> menuentry "name" --users "a,b,c" {
>>>> }
>>>> Means that only superusers and users "a", "b" and "c" are permitted to
>>>> boot this menuentry. To allow only superusers to boot an entry one
>>>> would
>>>> need:
>>>> menuentry "name" --users "" {
>>>> }
>>>> And absence of --users means "anyone can choose this entry".
>>>> Unfortunately this is error-prone. Does anyone oppose to change it to:
>>>> No --users: only superusers
>>>> To have an unlocked entry you have to add --unlocked
>>> First, what is the definition of a 'superuser'?  Where does GRUB get
>>> the information to make a decision.
>>>
>> Superusers are set on per-configuration basis with
>> set superusers=<list>
>> these users are allowed to invoke shell and edit menu entries so there
>> is no reason to restrict which entries they are allowed to boot.
>>> In any case, I'd recommend
>>>
>>>   --users: superusers only
>>>
>>> or even
>>>
>>>   --users: superusers
>> I don't get what you mean
>
> I thought you were asking about a parameter to the menuentry command
>
>   menuentry "name" --users "a,b,c" {
>
> I was recommending
>
>   menuentry "name" --users superusers {
>
> Where superusers is a keyword implying all superusers.
>
Actually the real question is about interpretation of missing --users.
Actually your suggestion --users superusers has a problem that user
"superusers" may actually exist. BTW:
menuentry "name" --users $superusers {
is already accepted
>   -- Bruce
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature