JLdL 01Jan08.

This directory contains kernel patches for disabling the init= kernel boot
parameter. It should be applied to the kernels of remotely booted machines
which are going to use PXELinux for booting. The PXELinux boot loader does
not have password protection for passing kernel parameters during boot, so
that anyone who has access to the console of a machine can boot it using a
init=/bin/bash parameter, and hence assume root control over that node.

This is particularly important for remotely booted X11 terminals installed
in a public room, but it is not a bad idea to patch the kernels of all the
remotely-booted machines. Since they are all diskless, this parameter does
not have much use in such machines anyway.

In order to apply the patch, copy it into the directory where you have the
Linux sources, which should be within a subdirectory, with a standard name
linux-<version>, go there, and use the command

	patch -p0  <  disable-init-param-<version>.diff

It is better to do this with clean sources, just as they come out of their
tar file.  You can use the patch for pristine kernel sources or the Debian
kernel sources, but the patch expects a source directory with the standard
name linux-<version>. If you use Debian kernel sources, then you will need
to make a symbolic link with that name, pointing to the Debian name, which
can be either kernel-source-<version> or linux-source-<version>, depending
on the version of the Debian distribution which you are using. After this,
you can configure and compile the kernel as usual.

If you do not find a patch for the kernel version you want to use, you can
try to use the one with the closest version, editing it to change the name
of the kernel directories, and using it as shown above. This will probably
succeed, after the patch program compensates for an offset.

This is a very simple patch which will change only one file, the init main
program init/main.c within the kernel sources.  It would be better to have
a configuration parameter, that allowed one to disable this boot parameter
during the configuration of the kernel, but lacking that, you can use this
simple patch.

Remember that you must apply the patch once more whenever you change to a
newer kernel version, otherwise all your remotely-booted X11 terminals in
public rooms will become vulnerable, possibly exposing your whole cluster
to serious harm.

