fai-chboot

Thomas Neumann blacky+fai at fluffbunny.de
Tue Mar 9 20:14:56 CET 2010


hiya

>> a) have/gain root-access on a client installed via fai

> But you can disable remote root access on all install clients, and
> also disable the root console on A-F4 and A-F5.

This doesn't help. What I meant with step "a)" was to be able gain access
to a host which has been installed via fai. It doesn't need to be a
running fai client at the moment.

or to be really pedantic

  - One needs access to fai-logs created during installation to figure out
the relevant nfs-server. (alternatives: probing the network, social
engineering, ...)
  - One needs access to a host which is able to mount the fai nfs-share.

(This may or may not be the same host.)

> I think every install client can always pretend to be another install
> client and change the PXE config of another host.

Most probably yes.

> This can only be disabled, if the install server could authenticate
> an install client.

Or at least the impact could be somewhat lessened if the client can toggle
the switch exactly in one direction. (I would not be surprised if someone
has good reasons to only allow "disable -> enable installation".)

tschüß
thomas



More information about the linux-fai mailing list