* [PATCH] Core Update 170: Harden mount options of /boot on existing installations @ 2022-07-06 18:36 Peter Müller 2022-07-07 14:39 ` Michael Tremer 0 siblings, 1 reply; 3+ messages in thread From: Peter Müller @ 2022-07-06 18:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 756 bytes --] Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/170/update.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index 8edb5ff2e..c9744f5f5 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -49,8 +49,11 @@ ldconfig # Start services +# Harden mount options of /boot +sed -e -i "s/[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*/ \/boot auto defaults,nodev,noexec,nosuid /g" /etc/fstab + # This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot # Finish /etc/init.d/fireinfo start -- 2.35.3 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Core Update 170: Harden mount options of /boot on existing installations 2022-07-06 18:36 [PATCH] Core Update 170: Harden mount options of /boot on existing installations Peter Müller @ 2022-07-07 14:39 ` Michael Tremer 2022-07-07 14:44 ` Peter Müller 0 siblings, 1 reply; 3+ messages in thread From: Michael Tremer @ 2022-07-07 14:39 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1482 bytes --] Hello, > On 6 Jul 2022, at 20:36, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/rootfiles/core/170/update.sh | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index 8edb5ff2e..c9744f5f5 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -49,8 +49,11 @@ ldconfig > > # Start services > > +# Harden mount options of /boot > +sed -e -i "s/[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*/ \/boot auto defaults,nodev,noexec,nosuid /g" /etc/fstab This is probably longer than it needs to. To keep regular expressions more readable, I would suggest the following: * Use \s instead of [[:space:]]. The latter is probably easier if you are not familiar with \s, but very hard to read. * If you know that you are going to have slashes, use a different delimiter character. So instead of s/A\/B/C\/D/ you could also write s(a)A/B(a)C/D@ which is a lot easier to read. * I am not convinced editing /etc/fstab like this is a good idea, but we don’t seem to have any other option. > + > # This update needs a reboot... > -#touch /var/run/need_reboot > +touch /var/run/need_reboot Why do we need to reboot? Can we not remount? > > # Finish > /etc/init.d/fireinfo start > -- > 2.35.3 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Core Update 170: Harden mount options of /boot on existing installations 2022-07-07 14:39 ` Michael Tremer @ 2022-07-07 14:44 ` Peter Müller 0 siblings, 0 replies; 3+ messages in thread From: Peter Müller @ 2022-07-07 14:44 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1817 bytes --] Hello Michael, thanks for your reply. > Hello, > >> On 6 Jul 2022, at 20:36, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/rootfiles/core/170/update.sh | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >> index 8edb5ff2e..c9744f5f5 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -49,8 +49,11 @@ ldconfig >> >> # Start services >> >> +# Harden mount options of /boot >> +sed -e -i "s/[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*/ \/boot auto defaults,nodev,noexec,nosuid /g" /etc/fstab > > This is probably longer than it needs to. To keep regular expressions more readable, I would suggest the following: > > * Use \s instead of [[:space:]]. The latter is probably easier if you are not familiar with \s, but very hard to read. I would prefer that too, but sed does not understand PCRE (tested on C168, did not work). > * If you know that you are going to have slashes, use a different delimiter character. So instead of s/A\/B/C\/D/ you could also write s(a)A/B(a)C/D@ which is a lot easier to read. ACK, good point. > * I am not convinced editing /etc/fstab like this is a good idea, but we don’t seem to have any other option. > >> + >> # This update needs a reboot... >> -#touch /var/run/need_reboot >> +touch /var/run/need_reboot > > Why do we need to reboot? Can we not remount? Indeed. At this point, all the other stuff in C170 does not require a reboot yet. Thanks, and best regards, Peter Müller > >> >> # Finish >> /etc/init.d/fireinfo start >> -- >> 2.35.3 > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-07 14:44 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-06 18:36 [PATCH] Core Update 170: Harden mount options of /boot on existing installations Peter Müller 2022-07-07 14:39 ` Michael Tremer 2022-07-07 14:44 ` Peter Müller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox