[PATCH v2] Core Update 170: Harden mount options of /boot on existing installations

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
@ 2022-07-13 19:46 Peter Müller
  2022-07-13 19:48 ` Peter Müller
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Müller @ 2022-07-13 19:46 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

The second version of this patch uses @ instead of / for sed delimiters,
which makes the command less hard to read. Since Core Update 170 already
requires a reboot at this point, the respective directive is omitted.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/170/update.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
index 7dde03060..78a4709bc 100644
--- a/config/rootfiles/core/170/update.sh
+++ b/config/rootfiles/core/170/update.sh
@@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
 # Start services
 /etc/init.d/rc.d/unbound start
 
+# Harden mount options of /boot
+sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
+
 # This update needs a reboot...
 touch /var/run/need_reboot
 
-- 
2.35.3

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-13 19:46 [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations Peter Müller
@ 2022-07-13 19:48 ` Peter Müller
  2022-07-14  9:34   ` Michael Tremer
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Müller @ 2022-07-13 19:48 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1335 bytes --]

Hello *,

additionally, we need to ensure /boot mount options are already written with these flags
into /etc/fstab on new installations. For flash-images, this is already done in C169, but
I have yet to investigate where to change things for the ISO files.

Any hints would be appreciated. :-)

Thanks, and best regards,
Peter Müller


> The second version of this patch uses @ instead of / for sed delimiters,
> which makes the command less hard to read. Since Core Update 170 already
> requires a reboot at this point, the respective directive is omitted.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>  config/rootfiles/core/170/update.sh | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
> index 7dde03060..78a4709bc 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>  # Start services
>  /etc/init.d/rc.d/unbound start
>  
> +# Harden mount options of /boot
> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
> +
>  # This update needs a reboot...
>  touch /var/run/need_reboot
>  

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-13 19:48 ` Peter Müller
@ 2022-07-14  9:34   ` Michael Tremer
  2022-07-14 10:15     ` Peter Müller
  0 siblings, 1 reply; 8+ messages in thread
From: Michael Tremer @ 2022-07-14  9:34 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1623 bytes --]

Hello,

The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125

-Michael

> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello *,
> 
> additionally, we need to ensure /boot mount options are already written with these flags
> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
> I have yet to investigate where to change things for the ISO files.
> 
> Any hints would be appreciated. :-)
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> The second version of this patch uses @ instead of / for sed delimiters,
>> which makes the command less hard to read. Since Core Update 170 already
>> requires a reboot at this point, the respective directive is omitted.
>> 
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/rootfiles/core/170/update.sh | 3 +++
>> 1 file changed, 3 insertions(+)
>> 
>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>> index 7dde03060..78a4709bc 100644
>> --- a/config/rootfiles/core/170/update.sh
>> +++ b/config/rootfiles/core/170/update.sh
>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>> # Start services
>> /etc/init.d/rc.d/unbound start
>> 
>> +# Harden mount options of /boot
>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>> +
>> # This update needs a reboot...
>> touch /var/run/need_reboot
>> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-14  9:34   ` Michael Tremer
@ 2022-07-14 10:15     ` Peter Müller
  2022-07-14 10:17       ` Michael Tremer
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Müller @ 2022-07-14 10:15 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1794 bytes --]

Hello Michael,

gee, thank you. :-)

Are you otherwise fine with this patch?

Thanks, and best regards,
Peter Müller


> Hello,
> 
> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125
> 
> -Michael
> 
>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello *,
>>
>> additionally, we need to ensure /boot mount options are already written with these flags
>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
>> I have yet to investigate where to change things for the ISO files.
>>
>> Any hints would be appreciated. :-)
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> The second version of this patch uses @ instead of / for sed delimiters,
>>> which makes the command less hard to read. Since Core Update 170 already
>>> requires a reboot at this point, the respective directive is omitted.
>>>
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/rootfiles/core/170/update.sh | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>>> index 7dde03060..78a4709bc 100644
>>> --- a/config/rootfiles/core/170/update.sh
>>> +++ b/config/rootfiles/core/170/update.sh
>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>>> # Start services
>>> /etc/init.d/rc.d/unbound start
>>>
>>> +# Harden mount options of /boot
>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>>> +
>>> # This update needs a reboot...
>>> touch /var/run/need_reboot
>>>
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-14 10:15     ` Peter Müller
@ 2022-07-14 10:17       ` Michael Tremer
  2022-07-14 10:19         ` Peter Müller
  0 siblings, 1 reply; 8+ messages in thread
From: Michael Tremer @ 2022-07-14 10:17 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]

Hello,

Yes, it isn’t great to edit such files with sed, but there are no other options.

I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates.

-Michael

> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> gee, thank you. :-)
> 
> Are you otherwise fine with this patch?
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125
>> 
>> -Michael
>> 
>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello *,
>>> 
>>> additionally, we need to ensure /boot mount options are already written with these flags
>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
>>> I have yet to investigate where to change things for the ISO files.
>>> 
>>> Any hints would be appreciated. :-)
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> The second version of this patch uses @ instead of / for sed delimiters,
>>>> which makes the command less hard to read. Since Core Update 170 already
>>>> requires a reboot at this point, the respective directive is omitted.
>>>> 
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/rootfiles/core/170/update.sh | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>> 
>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>>>> index 7dde03060..78a4709bc 100644
>>>> --- a/config/rootfiles/core/170/update.sh
>>>> +++ b/config/rootfiles/core/170/update.sh
>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>>>> # Start services
>>>> /etc/init.d/rc.d/unbound start
>>>> 
>>>> +# Harden mount options of /boot
>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>>>> +
>>>> # This update needs a reboot...
>>>> touch /var/run/need_reboot
>>>> 
>> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-14 10:17       ` Michael Tremer
@ 2022-07-14 10:19         ` Peter Müller
  2022-07-28 13:29           ` Peter Müller
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Müller @ 2022-07-14 10:19 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2415 bytes --]

Hello Michael,

> Hello,
> 
> Yes, it isn’t great to edit such files with sed, but there are no other options.
> 
> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates.

yes, absolutely. I will send in a patch for the installer later today.

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> gee, thank you. :-)
>>
>> Are you otherwise fine with this patch?
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125
>>>
>>> -Michael
>>>
>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Hello *,
>>>>
>>>> additionally, we need to ensure /boot mount options are already written with these flags
>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
>>>> I have yet to investigate where to change things for the ISO files.
>>>>
>>>> Any hints would be appreciated. :-)
>>>>
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>>
>>>>
>>>>> The second version of this patch uses @ instead of / for sed delimiters,
>>>>> which makes the command less hard to read. Since Core Update 170 already
>>>>> requires a reboot at this point, the respective directive is omitted.
>>>>>
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/rootfiles/core/170/update.sh | 3 +++
>>>>> 1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>>>>> index 7dde03060..78a4709bc 100644
>>>>> --- a/config/rootfiles/core/170/update.sh
>>>>> +++ b/config/rootfiles/core/170/update.sh
>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>>>>> # Start services
>>>>> /etc/init.d/rc.d/unbound start
>>>>>
>>>>> +# Harden mount options of /boot
>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>>>>> +
>>>>> # This update needs a reboot...
>>>>> touch /var/run/need_reboot
>>>>>
>>>
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-14 10:19         ` Peter Müller
@ 2022-07-28 13:29           ` Peter Müller
  2022-07-28 19:41             ` Michael Tremer
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Müller @ 2022-07-28 13:29 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2702 bytes --]

Hello *,

> Hello Michael,
> 
>> Hello,
>>
>> Yes, it isn’t great to edit such files with sed, but there are no other options.
>>
>> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates.
> 
> yes, absolutely. I will send in a patch for the installer later today.

https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f(a)ipfire.org/
- here it is, apologies for the tardy response.

Thanks, and best regards,
Peter Müller

> 
> Thanks, and best regards,
> Peter Müller
> 
>>
>> -Michael
>>
>>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> Hello Michael,
>>>
>>> gee, thank you. :-)
>>>
>>> Are you otherwise fine with this patch?
>>>
>>> Thanks, and best regards,
>>> Peter Müller
>>>
>>>
>>>> Hello,
>>>>
>>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125
>>>>
>>>> -Michael
>>>>
>>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>
>>>>> Hello *,
>>>>>
>>>>> additionally, we need to ensure /boot mount options are already written with these flags
>>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
>>>>> I have yet to investigate where to change things for the ISO files.
>>>>>
>>>>> Any hints would be appreciated. :-)
>>>>>
>>>>> Thanks, and best regards,
>>>>> Peter Müller
>>>>>
>>>>>
>>>>>> The second version of this patch uses @ instead of / for sed delimiters,
>>>>>> which makes the command less hard to read. Since Core Update 170 already
>>>>>> requires a reboot at this point, the respective directive is omitted.
>>>>>>
>>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>>> ---
>>>>>> config/rootfiles/core/170/update.sh | 3 +++
>>>>>> 1 file changed, 3 insertions(+)
>>>>>>
>>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>>>>>> index 7dde03060..78a4709bc 100644
>>>>>> --- a/config/rootfiles/core/170/update.sh
>>>>>> +++ b/config/rootfiles/core/170/update.sh
>>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>>>>>> # Start services
>>>>>> /etc/init.d/rc.d/unbound start
>>>>>>
>>>>>> +# Harden mount options of /boot
>>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>>>>>> +
>>>>>> # This update needs a reboot...
>>>>>> touch /var/run/need_reboot
>>>>>>
>>>>
>>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations
  2022-07-28 13:29           ` Peter Müller
@ 2022-07-28 19:41             ` Michael Tremer
  0 siblings, 0 replies; 8+ messages in thread
From: Michael Tremer @ 2022-07-28 19:41 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2974 bytes --]

Looks good to me. You can merge it with the next sweep.

-Michael

> On 28 Jul 2022, at 14:29, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello *,
> 
>> Hello Michael,
>> 
>>> Hello,
>>> 
>>> Yes, it isn’t great to edit such files with sed, but there are no other options.
>>> 
>>> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates.
>> 
>> yes, absolutely. I will send in a patch for the installer later today.
> 
> https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f(a)ipfire.org/
> - here it is, apologies for the tardy response.
> 
> Thanks, and best regards,
> Peter Müller
> 
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>>> 
>>> -Michael
>>> 
>>>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>> 
>>>> Hello Michael,
>>>> 
>>>> gee, thank you. :-)
>>>> 
>>>> Are you otherwise fine with this patch?
>>>> 
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>> 
>>>> 
>>>>> Hello,
>>>>> 
>>>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125
>>>>> 
>>>>> -Michael
>>>>> 
>>>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>> 
>>>>>> Hello *,
>>>>>> 
>>>>>> additionally, we need to ensure /boot mount options are already written with these flags
>>>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but
>>>>>> I have yet to investigate where to change things for the ISO files.
>>>>>> 
>>>>>> Any hints would be appreciated. :-)
>>>>>> 
>>>>>> Thanks, and best regards,
>>>>>> Peter Müller
>>>>>> 
>>>>>> 
>>>>>>> The second version of this patch uses @ instead of / for sed delimiters,
>>>>>>> which makes the command less hard to read. Since Core Update 170 already
>>>>>>> requires a reboot at this point, the respective directive is omitted.
>>>>>>> 
>>>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>>>> ---
>>>>>>> config/rootfiles/core/170/update.sh | 3 +++
>>>>>>> 1 file changed, 3 insertions(+)
>>>>>>> 
>>>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>>>>>>> index 7dde03060..78a4709bc 100644
>>>>>>> --- a/config/rootfiles/core/170/update.sh
>>>>>>> +++ b/config/rootfiles/core/170/update.sh
>>>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
>>>>>>> # Start services
>>>>>>> /etc/init.d/rc.d/unbound start
>>>>>>> 
>>>>>>> +# Harden mount options of /boot
>>>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
>>>>>>> +
>>>>>>> # This update needs a reboot...
>>>>>>> touch /var/run/need_reboot
>>>>>>> 
>>>>> 
>>> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-07-28 19:41 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-13 19:46 [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations Peter Müller
2022-07-13 19:48 ` Peter Müller
2022-07-14  9:34   ` Michael Tremer
2022-07-14 10:15     ` Peter Müller
2022-07-14 10:17       ` Michael Tremer
2022-07-14 10:19         ` Peter Müller
2022-07-28 13:29           ` Peter Müller
2022-07-28 19:41             ` Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox