On Wed, Sep 25, 2002 at 02:40:19PM -0400, William Waites wrote:
  | >>> "Luke" == Luke Mewburn <lukem@netbsd.org> writes:
  | 
  |     Luke>     +	The kernel's "-a" bootloader option now also prompts for the
  |     Luke> 	path to init(8), so "/rescue/init" can be used if /sbin/init
  |     Luke> 	won't start due to an unexpected failure.
  | 
  | Is there  a way to  turn this off?  IIUC it makes marking  the console
  | insecure   in  /etc/ttys  useless   since  you   can  just   boot  '-a
  | /bin/sh'... Just like that Finnish OS (init=/bin/sh) ;)

Given that the first question asked by '-a' is "root device" (and
then dump device & file system type), the user could just enter
any other device with a valid file system and /sbin/init on it
(let alone a different path to init in the newer kernels).
I don't see this as much of an issue.

Various platforms support the ability to prevent the user from
modifying the boot flags (via PROM settings), and the i386 has support
for setting a password in the bootloader to prevent the boot flags
from being modified without it.