Message ID | 8b05614d-bf3f-df6d-1157-b4d21235329f@ipfire.org |
---|---|
State | Not Applicable |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LRhFn5BGrz40TS for <patchwork@web04.haj.ipfire.org>; Mon, 20 Jun 2022 20:34:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LRhFm5PwXzlX; Mon, 20 Jun 2022 20:34:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LRhFm4RBTz2ybF; Mon, 20 Jun 2022 20:34:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LRhFk447Yz2xNV for <development@lists.ipfire.org>; Mon, 20 Jun 2022 20:34:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LRhFj5FMWz1C for <development@lists.ipfire.org>; Mon, 20 Jun 2022 20:34:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1655757258; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2UsY8NCajx4GimJmrPCx5lNsB1zlhkfdeGiyCEcpOKk=; b=kgkOz6Ip88K2UvH62hS4zAeT1K0xXobHGHsk59cdezI7LMZ012af0LkPeJL5WW5Wr+0BSG tKsnoUdZ97NlUlAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1655757258; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2UsY8NCajx4GimJmrPCx5lNsB1zlhkfdeGiyCEcpOKk=; b=pbK13AhE0IvJEiU8/GTJCcxpy6+n0lMaz2vKEjK7O9JZz9MKmU8exrCqUpzAwT7RrPFBvr NryF6f/qfskOyFyk7pIF5D0C7zpzh51iBqZC9AUWHcAIBoeotkOEi+Rv4yAnCW/yPTJ233 IClbG4ftWSZxs4/WMUpxevC+bmXBOvZDOKFHyqiTY2K1lGc9Wzg4knSQDHAZpxNV5uYMUw j4Ik66tPdJzQ0I0GZ2xDdEKKtOSDm051SBJc3UKnJ2yJsA9+eYdacNwf9grnXp0VASZ6Dx NC8u2JyirQ1Te/wwvfmfwVQdmBk8Kc5Qk0euvCFabvQwFSTfvLbsuVo5Os8HCQ== Message-ID: <8b05614d-bf3f-df6d-1157-b4d21235329f@ipfire.org> Date: Mon, 20 Jun 2022 20:34:15 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: Various mount options have changed in Core Update 169 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
Various mount options have changed in Core Update 169
|
|
Commit Message
Peter Müller
June 20, 2022, 8:34 p.m. UTC
Hello *, while pre-testing Core Update 169, it came to my attention that, for some reason, various mount options have changed since Core Update 168, lacking options such as "nodev", "noexec", "nosuid", which means a security downgrade. The complete delta is as follows: $ diff -Naur before after I cannot recall of having this explicitly changed anywhere, and don't understand the root cause for this (unwanted) change. Could somebody please point me into the right direction? :-) Thanks in advance, and best regards, Peter Müller
Comments
Hello, I suppose this is coming from changing dracut. Unless I am reading your diff wrong, those options have been added which is a good thing?! -Michael > On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello *, > > while pre-testing Core Update 169, it came to my attention that, for some reason, > various mount options have changed since Core Update 168, lacking options such as > "nodev", "noexec", "nosuid", which means a security downgrade. > > The complete delta is as follows: > > $ diff -Naur before after > --- before 2022-06-20 20:04:32.436632074 +0000 > +++ after 2022-06-20 20:04:34.500401575 +0000 > @@ -1,12 +1,12 @@ > -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) > +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) > /dev/sda1 on /boot type ext4 (rw,relatime) > /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) > /dev/sda4 on / type ext4 (rw,relatime) > -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) > +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) > efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) > none on /sys/fs/cgroup type cgroup2 (rw,relatime) > -/proc on /proc type proc (rw,relatime) > -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) > -/sys on /sys type sysfs (rw,relatime) > -tmpfs on /dev/shm type tmpfs (rw,relatime) > +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) > +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) > +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) > +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) > /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) > > I cannot recall of having this explicitly changed anywhere, and don't understand > the root cause for this (unwanted) change. Could somebody please point me into the > right direction? :-) > > Thanks in advance, and best regards, > Peter Müller
Hello Michael, thanks for your reply. > Hello, > > I suppose this is coming from changing dracut. As discussed on the phone already, I don't think dracut is the root cause here, since the mount options are fine on systems running Core Update 168. Some change in Core Update 169 caused this issue. > Unless I am reading your diff wrong, those options have been added which is a good thing?! No, it is the other way round. Silly me screwed up the diff. :-/ Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for /dev. I searched and was unable to find any component where /dev is (re)mounted in the way it is shown in the output of "mount". Do you have any ideas? Thanks, and best regards, Peter Müller > > -Michael > >> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello *, >> >> while pre-testing Core Update 169, it came to my attention that, for some reason, >> various mount options have changed since Core Update 168, lacking options such as >> "nodev", "noexec", "nosuid", which means a security downgrade. >> >> The complete delta is as follows: >> >> $ diff -Naur before after >> --- before 2022-06-20 20:04:32.436632074 +0000 >> +++ after 2022-06-20 20:04:34.500401575 +0000 >> @@ -1,12 +1,12 @@ >> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) >> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) >> /dev/sda1 on /boot type ext4 (rw,relatime) >> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) >> /dev/sda4 on / type ext4 (rw,relatime) >> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) >> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) >> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) >> none on /sys/fs/cgroup type cgroup2 (rw,relatime) >> -/proc on /proc type proc (rw,relatime) >> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) >> -/sys on /sys type sysfs (rw,relatime) >> -tmpfs on /dev/shm type tmpfs (rw,relatime) >> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) >> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) >> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) >> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) >> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) >> >> I cannot recall of having this explicitly changed anywhere, and don't understand >> the root cause for this (unwanted) change. Could somebody please point me into the >> right direction? :-) >> >> Thanks in advance, and best regards, >> Peter Müller >
Hello, > On 22 Jun 2022, at 19:02, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > >> Hello, >> >> I suppose this is coming from changing dracut. > > As discussed on the phone already, I don't think dracut is the root cause here, since > the mount options are fine on systems running Core Update 168. Some change in Core Update > 169 caused this issue. Okay. Could we please find out what has been causing this? This is a change I would definitely care about and things like this should not just change. > >> Unless I am reading your diff wrong, those options have been added which is a good thing?! > > No, it is the other way round. Silly me screwed up the diff. :-/ > > Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for > /dev. I searched and was unable to find any component where /dev is (re)mounted in the way > it is shown in the output of "mount". > > Do you have any ideas? > > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello *, >>> >>> while pre-testing Core Update 169, it came to my attention that, for some reason, >>> various mount options have changed since Core Update 168, lacking options such as >>> "nodev", "noexec", "nosuid", which means a security downgrade. >>> >>> The complete delta is as follows: >>> >>> $ diff -Naur before after >>> --- before 2022-06-20 20:04:32.436632074 +0000 >>> +++ after 2022-06-20 20:04:34.500401575 +0000 >>> @@ -1,12 +1,12 @@ >>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) >>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) >>> /dev/sda1 on /boot type ext4 (rw,relatime) >>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) >>> /dev/sda4 on / type ext4 (rw,relatime) >>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) >>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) >>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) >>> none on /sys/fs/cgroup type cgroup2 (rw,relatime) >>> -/proc on /proc type proc (rw,relatime) >>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) >>> -/sys on /sys type sysfs (rw,relatime) >>> -tmpfs on /dev/shm type tmpfs (rw,relatime) >>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) >>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) >>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) >>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) >>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) >>> >>> I cannot recall of having this explicitly changed anywhere, and don't understand >>> the root cause for this (unwanted) change. Could somebody please point me into the >>> right direction? :-) >>> >>> Thanks in advance, and best regards, >>> Peter Müller >>
Hello Michael, > Hello, > >> On 22 Jun 2022, at 19:02, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> thanks for your reply. >> >>> Hello, >>> >>> I suppose this is coming from changing dracut. >> >> As discussed on the phone already, I don't think dracut is the root cause here, since >> the mount options are fine on systems running Core Update 168. Some change in Core Update >> 169 caused this issue. > > Okay. Could we please find out what has been causing this? I am unfortunately out of ideas and need help here - see also the issue of /dev which is still not fixed since I do not know where to look at. There is a mount call in /usr/lib/dracut/modules.d/99base/init.sh with the proper options, but it either is not conducted at all during boot, or the mount options get overwritten at a later point. Sorry for the hassle. > This is a change I would definitely care about and things like this should not just change. Full ACK. > >> >>> Unless I am reading your diff wrong, those options have been added which is a good thing?! >> >> No, it is the other way round. Silly me screwed up the diff. :-/ >> >> Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for >> /dev. I searched and was unable to find any component where /dev is (re)mounted in the way >> it is shown in the output of "mount". ^^^ Thanks, and best regards, Peter Müller >> >> Do you have any ideas? >> >> Thanks, and best regards, >> Peter Müller >> >>> >>> -Michael >>> >>>> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> Hello *, >>>> >>>> while pre-testing Core Update 169, it came to my attention that, for some reason, >>>> various mount options have changed since Core Update 168, lacking options such as >>>> "nodev", "noexec", "nosuid", which means a security downgrade. >>>> >>>> The complete delta is as follows: >>>> >>>> $ diff -Naur before after >>>> --- before 2022-06-20 20:04:32.436632074 +0000 >>>> +++ after 2022-06-20 20:04:34.500401575 +0000 >>>> @@ -1,12 +1,12 @@ >>>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) >>>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) >>>> /dev/sda1 on /boot type ext4 (rw,relatime) >>>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) >>>> /dev/sda4 on / type ext4 (rw,relatime) >>>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) >>>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) >>>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) >>>> none on /sys/fs/cgroup type cgroup2 (rw,relatime) >>>> -/proc on /proc type proc (rw,relatime) >>>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) >>>> -/sys on /sys type sysfs (rw,relatime) >>>> -tmpfs on /dev/shm type tmpfs (rw,relatime) >>>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) >>>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) >>>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) >>>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) >>>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) >>>> >>>> I cannot recall of having this explicitly changed anywhere, and don't understand >>>> the root cause for this (unwanted) change. Could somebody please point me into the >>>> right direction? :-) >>>> >>>> Thanks in advance, and best regards, >>>> Peter Müller >>> >
--- before 2022-06-20 20:04:32.436632074 +0000 +++ after 2022-06-20 20:04:34.500401575 +0000 @@ -1,12 +1,12 @@ -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) /dev/sda1 on /boot type ext4 (rw,relatime) /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) /dev/sda4 on / type ext4 (rw,relatime) -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) none on /sys/fs/cgroup type cgroup2 (rw,relatime) -/proc on /proc type proc (rw,relatime) -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) -/sys on /sys type sysfs (rw,relatime) -tmpfs on /dev/shm type tmpfs (rw,relatime) +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k)