From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Core Update 170: Harden mount options of /boot on
 existing installations
Date: Thu, 07 Jul 2022 16:39:38 +0200
Message-ID: <02519BDF-823F-43F9-8A13-9D3D657E963C@ipfire.org>
In-Reply-To: <025e3315-6a62-30cd-9a00-cc0827820433@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8994954822600611493=="
List-Id: <development.lists.ipfire.org>

--===============8994954822600611493==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 6 Jul 2022, at 20:36, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/rootfiles/core/170/update.sh | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>=20
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/17=
0/update.sh
> index 8edb5ff2e..c9744f5f5 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -49,8 +49,11 @@ ldconfig
>=20
> # Start services
>=20
> +# Harden mount options of /boot
> +sed -e -i "s/[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:spac=
e:]]*/ \/boot    auto defaults,nodev,noexec,nosuid   /g" /etc/fstab

This is probably longer than it needs to. To keep regular expressions more re=
adable, I would suggest the following:

* Use \s instead of [[:space:]]. The latter is probably easier if you are not=
 familiar with \s, but very hard to read.

* If you know that you are going to have slashes, use a different delimiter c=
haracter. So instead of s/A\/B/C\/D/ you could also write s(a)A/B(a)C/D@ whic=
h is a lot easier to read.

* I am not convinced editing /etc/fstab like this is a good idea, but we don=
=E2=80=99t seem to have any other option.

> +
> # This update needs a reboot...
> -#touch /var/run/need_reboot
> +touch /var/run/need_reboot

Why do we need to reboot? Can we not remount?

>=20
> # Finish
> /etc/init.d/fireinfo start
> --=20
> 2.35.3


--===============8994954822600611493==--