[Bug 536309] New: allow NBDROOT=serverIP;port from kernel commandline/boot parameter
http://bugzilla.novell.com/show_bug.cgi?id=536309 Summary: allow NBDROOT=serverIP;port from kernel commandline/boot parameter Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software AssignedTo: cyberorg@opensuse.org ReportedBy: alexo.veto@gmail.com QAContact: opensuse-communityscreening@forge.provo.novell.com Found By: Community User allow NBDROOT=serverIP;port from kernel commandline/boot parameter this allow multiple configurations for each client, like this(part of pxelinux.cfg/default file): ... kernel boot/linux-ltsp append initrd=boot/initrd-ltsp NBDROOT="192.168.0.1;2001" .. Default behavior(for NBDROOT): init script(linuxrc) replace NBDROOT value from /srv/tftpboot/KIWI/config.default (file from server via tftp), if NBDROOT="....." exist variable NBDROOT_DEFAULT add new behavior: 1) if NBDROOT exist in /srv/tftpboot/KIWI/config.default: Default behavior 2) if NBDROOT exist only as boot parameter: use NBDROOT 3) if NBDROOT is not exist: NBDROOT=$NBDROOT_DEFAULT add NBDROOT_DEFAULT=... into /srv/tftpboot/KIWI/config.default, instead NBDROOT PATCH(for init and/or linuxrc ): --- linuxrc1 2009-09-02 19:16:33.000000000 +0000 +++ linuxrc 2009-09-02 19:15:38.000000000 +0000 @@ -227,6 +227,13 @@ #====================================== # 9) Load configuration #-------------------------------------- +function nbdroot_import { + importFile < $CONFIG + IMPORTED=1 + if [ ! -z $NBDROOT_DEFAULT ] && [ -z $NBDROOT ] ;then + NBDROOT=$NBDROOT_DEFAULT + fi +} if [ $LOCAL_BOOT = "no" ];then CONFIG=/etc/config.netclient #====================================== @@ -245,8 +252,7 @@ #-------------------------------------- IMPORTED=0 if [ -s $CONFIG ] ;then - importFile < $CONFIG - IMPORTED=1 + nbdroot_import fi #======================================== # Compare current IP and IP from config @@ -312,8 +318,7 @@ # import latest configuration #-------------------------------------- if [ $IMPORTED -eq 0 ];then - importFile < $CONFIG - IMPORTED=1 + nbdroot_import fi fi -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=536309
User cyberorg@opensuse.org added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c1
Jigish Gohil
http://bugzilla.novell.com/show_bug.cgi?id=536309
User alexo.veto@gmail.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c2
Alex Savin
This is for kiwi netboot image.
yes, kiwi-ltsp-bootimages https://build.opensuse.org/package/show?package=kiwi-ltsp-bootimages&project=server%3Altsp -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=536309
User cyberorg@opensuse.org added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c3
Jigish Gohil
http://bugzilla.novell.com/show_bug.cgi?id=536309
User alexo.veto@gmail.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c4
--- Comment #4 from Alex Savin
http://bugzilla.novell.com/show_bug.cgi?id=536309
User ms@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c5
Marcus Schaefer
http://bugzilla.novell.com/show_bug.cgi?id=536309
User ms@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c6
Marcus Schaefer
http://bugzilla.novell.com/show_bug.cgi?id=536309
User alexo.veto@gmail.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c7
Alex Savin
http://bugzilla.novell.com/show_bug.cgi?id=536309
User ms@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c8
Marcus Schaefer
http://bugzilla.novell.com/show_bug.cgi?id=536309
User alexo.veto@gmail.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c9
--- Comment #9 from Alex Savin
hmm, a security risk... as far as I know we don't display a boot menu when booting via pxe, ??? /srv/tftpboot/message-ltsp and /srv/tftpboot/pxelinux.cfg/* it is boot menu files, and same organization can use it to run different OS (via pxe) in one workstation
but you are right someone could plugin the device into the network and boot from for example a USB stick and use the exported root filesystem. But if someone has physical access to plugin the network cable into a client of his choice he is in the network anyways because he will get an ip from DHCP then
is kiwi-ltsp used for public terminal?(in library, university, other...)? in this cases user can't access to network cable and bios(can't change boot device) - he can boot only that in pxelinux.cfg/* menu, and can add same boot option(such as NBDROOT) before NBDROOT was replaced by KIWI/config.*, but now user can use: NBDROOT="internet_IP;port" and run samething like BackTrack (http://www.remote-exploit.org/) and attack to internal network services -------------------------- I little change, my last post, sorry my ugly english (In reply to comment #7)
I add new variable, because change behavior for NBDROOT - make security risk: NEW BEHAVIOR OF NBDROOT allow user overwrite NBDROOT(in boot menu) and download any system(from Internet), with root access, in internal network!, EVEN IF ADMINISTRATOR DON'T WANT ALLOW IT
if administrator want allow overwrite NBDROOT, he need use NBDROOT_DEFAULT in KIWI/config.* -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=536309
User alexo.veto@gmail.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c10
--- Comment #10 from Alex Savin
http://bugzilla.novell.com/show_bug.cgi?id=536309
User ms@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=536309#c11
Marcus Schaefer
http://bugzilla.novell.com/show_bug.cgi?id=536309
http://bugzilla.novell.com/show_bug.cgi?id=536309#c12
Alex Savin
+ #====================================== + # restore values from cmdline + #-------------------------------------- + for i in ${KLIST[@]};do + eval export $i + done
should be: - eval export $i + eval export \"$i\" this need for correct process format of option NBDROOT="...;...;...;...;..." (example: NBDROOT="192.168.0.1;2001") also: don't know why ALLOW_CMDLINE_OVERWRITE is disabled, but if someone need to enable this - use this simple script: #!/bin/bash #run this from /srv/tftpboot/boot/ dir for i in `ls|grep initrd` do mkdir boott cd boott gunzip < ../$i| cpio -i --make-directories sed -i 's/unset ALLOW_CMDLINE_OVERWRITE/#unset ALLOW_CMDLINE_OVERWRITE/' linuxrc init find ./ | cpio -H newc -o > ../initrd.cpio cd .. gzip -9 initrd.cpio -c > $i.tmp rm -f initrd.cpio mv -f $i.tmp $i rm -rf boott done -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=536309
http://bugzilla.novell.com/show_bug.cgi?id=536309#c13
--- Comment #13 from Alex Savin
http://bugzilla.novell.com/show_bug.cgi?id=536309
http://bugzilla.novell.com/show_bug.cgi?id=536309#c14
Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=536309
https://bugzilla.novell.com/show_bug.cgi?id=536309#c15
Alex Savin
https://bugzilla.novell.com/show_bug.cgi?id=536309
https://bugzilla.novell.com/show_bug.cgi?id=536309#c
Alex Savin
https://bugzilla.novell.com/show_bug.cgi?id=536309
https://bugzilla.novell.com/show_bug.cgi?id=536309#c16
Marcus Schaefer
participants (1)
-
bugzilla_noreply@novell.com