| Message ID | f0374b07-323d-2796-7eac-f48a09a84bbc@ipfire.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Ljp6S4kb6z3wjd for <patchwork@web04.haj.ipfire.org>; Wed, 13 Jul 2022 19:46:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Ljp6P6fJ9zq2; Wed, 13 Jul 2022 19:46:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Ljp6P6113z2y2L; Wed, 13 Jul 2022 19:46:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Ljp6N3cDtz2xPW for <development@lists.ipfire.org>; Wed, 13 Jul 2022 19:46:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Ljp6M3D6zzRM for <development@lists.ipfire.org>; Wed, 13 Jul 2022 19:46:51 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1657741612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ISWd7BTVh44Oo0qidIYSG01Ed+VVbd6Z52iXNkXuxHw=; b=esbA7MMAe6H73spBEDZdAVfwlWw+LphVYPp+jBq1Wos+cvKsszsOA+n4uMPItEawBujH+3 85XmrRdz8SK0yiBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1657741612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ISWd7BTVh44Oo0qidIYSG01Ed+VVbd6Z52iXNkXuxHw=; b=g2aTIaJfg+N8KekcTRKkAWrrr02R1R2PhrpF4b52yoAG/HsBwZadStudEAzlN88d6N/Vtt Qj9X+GjwaeFpuG1pof1YRCKTH3OsdJtys1KurvKnomE/29K+8Xgu3ueN6DawV7YwUHV4I0 6QkW9lDGUOcNLlP6PeNTe7Z739g/mHfiMFApZE8O6iIBQA6KUZPTuX46k7f/WfmCTsDdAu Goj7Wl4OfP+8BvztXuX1ifcNPCZYpIHrXTsLijadcYmRDVKVLVhKa2lU3DhZv7WAnYB0Yv a1YhgX7u8Tb9j7rWN6Wz+pBs9O6GJF+I9T0lSpzJs2bMcg72YXALNJtZbjNEyA== Message-ID: <f0374b07-323d-2796-7eac-f48a09a84bbc@ipfire.org> Date: Wed, 13 Jul 2022 19:46:38 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[v2] Core Update 170: Harden mount options of /boot on existing installations
|
|
Commit Message
Peter Müller
July 13, 2022, 7:46 p.m. UTC
The second version of this patch uses @ instead of / for sed delimiters,
which makes the command less hard to read. Since Core Update 170 already
requires a reboot at this point, the respective directive is omitted.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/core/170/update.sh | 3 +++
1 file changed, 3 insertions(+)
Comments
Hello *, additionally, we need to ensure /boot mount options are already written with these flags into /etc/fstab on new installations. For flash-images, this is already done in C169, but I have yet to investigate where to change things for the ISO files. Any hints would be appreciated. :-) Thanks, and best regards, Peter Müller > The second version of this patch uses @ instead of / for sed delimiters, > which makes the command less hard to read. Since Core Update 170 already > requires a reboot at this point, the respective directive is omitted. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/core/170/update.sh | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index 7dde03060..78a4709bc 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist > # Start services > /etc/init.d/rc.d/unbound start > > +# Harden mount options of /boot > +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab > + > # This update needs a reboot... > touch /var/run/need_reboot >
Hello, The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 -Michael > On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello *, > > additionally, we need to ensure /boot mount options are already written with these flags > into /etc/fstab on new installations. For flash-images, this is already done in C169, but > I have yet to investigate where to change things for the ISO files. > > Any hints would be appreciated. :-) > > Thanks, and best regards, > Peter Müller > > >> The second version of this patch uses @ instead of / for sed delimiters, >> which makes the command less hard to read. Since Core Update 170 already >> requires a reboot at this point, the respective directive is omitted. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/rootfiles/core/170/update.sh | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >> index 7dde03060..78a4709bc 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >> # Start services >> /etc/init.d/rc.d/unbound start >> >> +# Harden mount options of /boot >> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >> + >> # This update needs a reboot... >> touch /var/run/need_reboot >>
Hello Michael, gee, thank you. :-) Are you otherwise fine with this patch? Thanks, and best regards, Peter Müller > Hello, > > The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 > > -Michael > >> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello *, >> >> additionally, we need to ensure /boot mount options are already written with these flags >> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >> I have yet to investigate where to change things for the ISO files. >> >> Any hints would be appreciated. :-) >> >> Thanks, and best regards, >> Peter Müller >> >> >>> The second version of this patch uses @ instead of / for sed delimiters, >>> which makes the command less hard to read. Since Core Update 170 already >>> requires a reboot at this point, the respective directive is omitted. >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/rootfiles/core/170/update.sh | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>> index 7dde03060..78a4709bc 100644 >>> --- a/config/rootfiles/core/170/update.sh >>> +++ b/config/rootfiles/core/170/update.sh >>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>> # Start services >>> /etc/init.d/rc.d/unbound start >>> >>> +# Harden mount options of /boot >>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>> + >>> # This update needs a reboot... >>> touch /var/run/need_reboot >>> >
Hello, Yes, it isn’t great to edit such files with sed, but there are no other options. I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. -Michael > On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > gee, thank you. :-) > > Are you otherwise fine with this patch? > > Thanks, and best regards, > Peter Müller > > >> Hello, >> >> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >> >> -Michael >> >>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello *, >>> >>> additionally, we need to ensure /boot mount options are already written with these flags >>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>> I have yet to investigate where to change things for the ISO files. >>> >>> Any hints would be appreciated. :-) >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> The second version of this patch uses @ instead of / for sed delimiters, >>>> which makes the command less hard to read. Since Core Update 170 already >>>> requires a reboot at this point, the respective directive is omitted. >>>> >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/rootfiles/core/170/update.sh | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>> index 7dde03060..78a4709bc 100644 >>>> --- a/config/rootfiles/core/170/update.sh >>>> +++ b/config/rootfiles/core/170/update.sh >>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>> # Start services >>>> /etc/init.d/rc.d/unbound start >>>> >>>> +# Harden mount options of /boot >>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>> + >>>> # This update needs a reboot... >>>> touch /var/run/need_reboot >>>> >>
Hello Michael, > Hello, > > Yes, it isn’t great to edit such files with sed, but there are no other options. > > I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. yes, absolutely. I will send in a patch for the installer later today. Thanks, and best regards, Peter Müller > > -Michael > >> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> gee, thank you. :-) >> >> Are you otherwise fine with this patch? >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Hello, >>> >>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>> >>> -Michael >>> >>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> Hello *, >>>> >>>> additionally, we need to ensure /boot mount options are already written with these flags >>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>> I have yet to investigate where to change things for the ISO files. >>>> >>>> Any hints would be appreciated. :-) >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> >>>> >>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>> which makes the command less hard to read. Since Core Update 170 already >>>>> requires a reboot at this point, the respective directive is omitted. >>>>> >>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>> --- >>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>> 1 file changed, 3 insertions(+) >>>>> >>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>> index 7dde03060..78a4709bc 100644 >>>>> --- a/config/rootfiles/core/170/update.sh >>>>> +++ b/config/rootfiles/core/170/update.sh >>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>> # Start services >>>>> /etc/init.d/rc.d/unbound start >>>>> >>>>> +# Harden mount options of /boot >>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>> + >>>>> # This update needs a reboot... >>>>> touch /var/run/need_reboot >>>>> >>> >
Hello *, > Hello Michael, > >> Hello, >> >> Yes, it isn’t great to edit such files with sed, but there are no other options. >> >> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. > > yes, absolutely. I will send in a patch for the installer later today. https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f@ipfire.org/ - here it is, apologies for the tardy response. Thanks, and best regards, Peter Müller > > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> gee, thank you. :-) >>> >>> Are you otherwise fine with this patch? >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Hello, >>>> >>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>>> >>>> -Michael >>>> >>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>> >>>>> Hello *, >>>>> >>>>> additionally, we need to ensure /boot mount options are already written with these flags >>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>>> I have yet to investigate where to change things for the ISO files. >>>>> >>>>> Any hints would be appreciated. :-) >>>>> >>>>> Thanks, and best regards, >>>>> Peter Müller >>>>> >>>>> >>>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>>> which makes the command less hard to read. Since Core Update 170 already >>>>>> requires a reboot at this point, the respective directive is omitted. >>>>>> >>>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>>> --- >>>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>>> 1 file changed, 3 insertions(+) >>>>>> >>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>>> index 7dde03060..78a4709bc 100644 >>>>>> --- a/config/rootfiles/core/170/update.sh >>>>>> +++ b/config/rootfiles/core/170/update.sh >>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>>> # Start services >>>>>> /etc/init.d/rc.d/unbound start >>>>>> >>>>>> +# Harden mount options of /boot >>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>>> + >>>>>> # This update needs a reboot... >>>>>> touch /var/run/need_reboot >>>>>> >>>> >>
Looks good to me. You can merge it with the next sweep. -Michael > On 28 Jul 2022, at 14:29, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello *, > >> Hello Michael, >> >>> Hello, >>> >>> Yes, it isn’t great to edit such files with sed, but there are no other options. >>> >>> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. >> >> yes, absolutely. I will send in a patch for the installer later today. > > https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f@ipfire.org/ > - here it is, apologies for the tardy response. > > Thanks, and best regards, > Peter Müller > >> >> Thanks, and best regards, >> Peter Müller >> >>> >>> -Michael >>> >>>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> Hello Michael, >>>> >>>> gee, thank you. :-) >>>> >>>> Are you otherwise fine with this patch? >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> >>>> >>>>> Hello, >>>>> >>>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>>>> >>>>> -Michael >>>>> >>>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>>> >>>>>> Hello *, >>>>>> >>>>>> additionally, we need to ensure /boot mount options are already written with these flags >>>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>>>> I have yet to investigate where to change things for the ISO files. >>>>>> >>>>>> Any hints would be appreciated. :-) >>>>>> >>>>>> Thanks, and best regards, >>>>>> Peter Müller >>>>>> >>>>>> >>>>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>>>> which makes the command less hard to read. Since Core Update 170 already >>>>>>> requires a reboot at this point, the respective directive is omitted. >>>>>>> >>>>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>>>> --- >>>>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>>>> 1 file changed, 3 insertions(+) >>>>>>> >>>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>>>> index 7dde03060..78a4709bc 100644 >>>>>>> --- a/config/rootfiles/core/170/update.sh >>>>>>> +++ b/config/rootfiles/core/170/update.sh >>>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>>>> # Start services >>>>>>> /etc/init.d/rc.d/unbound start >>>>>>> >>>>>>> +# Harden mount options of /boot >>>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>>>> + >>>>>>> # This update needs a reboot... >>>>>>> touch /var/run/need_reboot >>>>>>> >>>>> >>>
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index 7dde03060..78a4709bc 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist # Start services /etc/init.d/rc.d/unbound start +# Harden mount options of /boot +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab + # This update needs a reboot... touch /var/run/need_reboot