From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Core Update 170: Harden mount options of /boot on
 existing installations
Date: Thu, 07 Jul 2022 14:44:47 +0000
Message-ID: <23602f69-4d51-93b2-9eae-7fe431c3a305@ipfire.org>
In-Reply-To: <02519BDF-823F-43F9-8A13-9D3D657E963C@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2002244176652022928=="
List-Id: <development.lists.ipfire.org>

--===============2002244176652022928==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for your reply.

> Hello,
>=20
>> On 6 Jul 2022, at 20:36, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>>
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> config/rootfiles/core/170/update.sh | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/1=
70/update.sh
>> index 8edb5ff2e..c9744f5f5 100644
>> --- a/config/rootfiles/core/170/update.sh
>> +++ b/config/rootfiles/core/170/update.sh
>> @@ -49,8 +49,11 @@ ldconfig
>>
>> # Start services
>>
>> +# Harden mount options of /boot
>> +sed -e -i "s/[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:spa=
ce:]]*/ \/boot    auto defaults,nodev,noexec,nosuid   /g" /etc/fstab
>=20
> This is probably longer than it needs to. To keep regular expressions more =
readable, I would suggest the following:
>=20
> * Use \s instead of [[:space:]]. The latter is probably easier if you are n=
ot familiar with \s, but very hard to read.

I would prefer that too, but sed does not understand PCRE (tested on C168, di=
d not work).

> * If you know that you are going to have slashes, use a different delimiter=
 character. So instead of s/A\/B/C\/D/ you could also write s(a)A/B(a)C/D@ wh=
ich is a lot easier to read.

ACK, good point.

> * I am not convinced editing /etc/fstab like this is a good idea, but we do=
n=E2=80=99t seem to have any other option.
>=20
>> +
>> # This update needs a reboot...
>> -#touch /var/run/need_reboot
>> +touch /var/run/need_reboot
>=20
> Why do we need to reboot? Can we not remount?

Indeed. At this point, all the other stuff in C170 does not require a reboot =
yet.

Thanks, and best regards,
Peter M=C3=BCller

>=20
>>
>> # Finish
>> /etc/init.d/fireinfo start
>> --=20
>> 2.35.3
>=20

--===============2002244176652022928==--