* [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations @ 2022-07-13 19:46 Peter Müller 2022-07-13 19:48 ` Peter Müller 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2022-07-13 19:46 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 953 bytes --] The second version of this patch uses @ instead of / for sed delimiters, which makes the command less hard to read. Since Core Update 170 already requires a reboot at this point, the respective directive is omitted. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/170/update.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index 7dde03060..78a4709bc 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist # Start services /etc/init.d/rc.d/unbound start +# Harden mount options of /boot +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab + # This update needs a reboot... touch /var/run/need_reboot -- 2.35.3 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-13 19:46 [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations Peter Müller @ 2022-07-13 19:48 ` Peter Müller 2022-07-14 9:34 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2022-07-13 19:48 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1335 bytes --] Hello *, additionally, we need to ensure /boot mount options are already written with these flags into /etc/fstab on new installations. For flash-images, this is already done in C169, but I have yet to investigate where to change things for the ISO files. Any hints would be appreciated. :-) Thanks, and best regards, Peter Müller > The second version of this patch uses @ instead of / for sed delimiters, > which makes the command less hard to read. Since Core Update 170 already > requires a reboot at this point, the respective directive is omitted. > > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/rootfiles/core/170/update.sh | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index 7dde03060..78a4709bc 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist > # Start services > /etc/init.d/rc.d/unbound start > > +# Harden mount options of /boot > +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab > + > # This update needs a reboot... > touch /var/run/need_reboot > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-13 19:48 ` Peter Müller @ 2022-07-14 9:34 ` Michael Tremer 2022-07-14 10:15 ` Peter Müller 0 siblings, 1 reply; 8+ messages in thread From: Michael Tremer @ 2022-07-14 9:34 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1623 bytes --] Hello, The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 -Michael > On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello *, > > additionally, we need to ensure /boot mount options are already written with these flags > into /etc/fstab on new installations. For flash-images, this is already done in C169, but > I have yet to investigate where to change things for the ISO files. > > Any hints would be appreciated. :-) > > Thanks, and best regards, > Peter Müller > > >> The second version of this patch uses @ instead of / for sed delimiters, >> which makes the command less hard to read. Since Core Update 170 already >> requires a reboot at this point, the respective directive is omitted. >> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/rootfiles/core/170/update.sh | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >> index 7dde03060..78a4709bc 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >> # Start services >> /etc/init.d/rc.d/unbound start >> >> +# Harden mount options of /boot >> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >> + >> # This update needs a reboot... >> touch /var/run/need_reboot >> ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-14 9:34 ` Michael Tremer @ 2022-07-14 10:15 ` Peter Müller 2022-07-14 10:17 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2022-07-14 10:15 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1794 bytes --] Hello Michael, gee, thank you. :-) Are you otherwise fine with this patch? Thanks, and best regards, Peter Müller > Hello, > > The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 > > -Michael > >> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> Hello *, >> >> additionally, we need to ensure /boot mount options are already written with these flags >> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >> I have yet to investigate where to change things for the ISO files. >> >> Any hints would be appreciated. :-) >> >> Thanks, and best regards, >> Peter Müller >> >> >>> The second version of this patch uses @ instead of / for sed delimiters, >>> which makes the command less hard to read. Since Core Update 170 already >>> requires a reboot at this point, the respective directive is omitted. >>> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> config/rootfiles/core/170/update.sh | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>> index 7dde03060..78a4709bc 100644 >>> --- a/config/rootfiles/core/170/update.sh >>> +++ b/config/rootfiles/core/170/update.sh >>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>> # Start services >>> /etc/init.d/rc.d/unbound start >>> >>> +# Harden mount options of /boot >>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>> + >>> # This update needs a reboot... >>> touch /var/run/need_reboot >>> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-14 10:15 ` Peter Müller @ 2022-07-14 10:17 ` Michael Tremer 2022-07-14 10:19 ` Peter Müller 0 siblings, 1 reply; 8+ messages in thread From: Michael Tremer @ 2022-07-14 10:17 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2223 bytes --] Hello, Yes, it isn’t great to edit such files with sed, but there are no other options. I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. -Michael > On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello Michael, > > gee, thank you. :-) > > Are you otherwise fine with this patch? > > Thanks, and best regards, > Peter Müller > > >> Hello, >> >> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >> >> -Michael >> >>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> Hello *, >>> >>> additionally, we need to ensure /boot mount options are already written with these flags >>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>> I have yet to investigate where to change things for the ISO files. >>> >>> Any hints would be appreciated. :-) >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> The second version of this patch uses @ instead of / for sed delimiters, >>>> which makes the command less hard to read. Since Core Update 170 already >>>> requires a reboot at this point, the respective directive is omitted. >>>> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> config/rootfiles/core/170/update.sh | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>> index 7dde03060..78a4709bc 100644 >>>> --- a/config/rootfiles/core/170/update.sh >>>> +++ b/config/rootfiles/core/170/update.sh >>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>> # Start services >>>> /etc/init.d/rc.d/unbound start >>>> >>>> +# Harden mount options of /boot >>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>> + >>>> # This update needs a reboot... >>>> touch /var/run/need_reboot >>>> >> ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-14 10:17 ` Michael Tremer @ 2022-07-14 10:19 ` Peter Müller 2022-07-28 13:29 ` Peter Müller 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2022-07-14 10:19 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2415 bytes --] Hello Michael, > Hello, > > Yes, it isn’t great to edit such files with sed, but there are no other options. > > I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. yes, absolutely. I will send in a patch for the installer later today. Thanks, and best regards, Peter Müller > > -Michael > >> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> Hello Michael, >> >> gee, thank you. :-) >> >> Are you otherwise fine with this patch? >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Hello, >>> >>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>> >>> -Michael >>> >>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> Hello *, >>>> >>>> additionally, we need to ensure /boot mount options are already written with these flags >>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>> I have yet to investigate where to change things for the ISO files. >>>> >>>> Any hints would be appreciated. :-) >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> >>>> >>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>> which makes the command less hard to read. Since Core Update 170 already >>>>> requires a reboot at this point, the respective directive is omitted. >>>>> >>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>>> --- >>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>> 1 file changed, 3 insertions(+) >>>>> >>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>> index 7dde03060..78a4709bc 100644 >>>>> --- a/config/rootfiles/core/170/update.sh >>>>> +++ b/config/rootfiles/core/170/update.sh >>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>> # Start services >>>>> /etc/init.d/rc.d/unbound start >>>>> >>>>> +# Harden mount options of /boot >>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>> + >>>>> # This update needs a reboot... >>>>> touch /var/run/need_reboot >>>>> >>> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-14 10:19 ` Peter Müller @ 2022-07-28 13:29 ` Peter Müller 2022-07-28 19:41 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2022-07-28 13:29 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2702 bytes --] Hello *, > Hello Michael, > >> Hello, >> >> Yes, it isn’t great to edit such files with sed, but there are no other options. >> >> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. > > yes, absolutely. I will send in a patch for the installer later today. https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f(a)ipfire.org/ - here it is, apologies for the tardy response. Thanks, and best regards, Peter Müller > > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> gee, thank you. :-) >>> >>> Are you otherwise fine with this patch? >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Hello, >>>> >>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>>> >>>> -Michael >>>> >>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>>> >>>>> Hello *, >>>>> >>>>> additionally, we need to ensure /boot mount options are already written with these flags >>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>>> I have yet to investigate where to change things for the ISO files. >>>>> >>>>> Any hints would be appreciated. :-) >>>>> >>>>> Thanks, and best regards, >>>>> Peter Müller >>>>> >>>>> >>>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>>> which makes the command less hard to read. Since Core Update 170 already >>>>>> requires a reboot at this point, the respective directive is omitted. >>>>>> >>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>>>> --- >>>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>>> 1 file changed, 3 insertions(+) >>>>>> >>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>>> index 7dde03060..78a4709bc 100644 >>>>>> --- a/config/rootfiles/core/170/update.sh >>>>>> +++ b/config/rootfiles/core/170/update.sh >>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>>> # Start services >>>>>> /etc/init.d/rc.d/unbound start >>>>>> >>>>>> +# Harden mount options of /boot >>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>>> + >>>>>> # This update needs a reboot... >>>>>> touch /var/run/need_reboot >>>>>> >>>> >> ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations 2022-07-28 13:29 ` Peter Müller @ 2022-07-28 19:41 ` Michael Tremer 0 siblings, 0 replies; 8+ messages in thread From: Michael Tremer @ 2022-07-28 19:41 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2974 bytes --] Looks good to me. You can merge it with the next sweep. -Michael > On 28 Jul 2022, at 14:29, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello *, > >> Hello Michael, >> >>> Hello, >>> >>> Yes, it isn’t great to edit such files with sed, but there are no other options. >>> >>> I would however prefer to merge it only together with the changes to the installer. Otherwise we are shipping a small change over the course of three updates. >> >> yes, absolutely. I will send in a patch for the installer later today. > > https://patchwork.ipfire.org/project/ipfire/patch/de573afc-f8ed-1cf8-949d-822b8801953f(a)ipfire.org/ > - here it is, apologies for the tardy response. > > Thanks, and best regards, > Peter Müller > >> >> Thanks, and best regards, >> Peter Müller >> >>> >>> -Michael >>> >>>> On 14 Jul 2022, at 11:15, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> Hello Michael, >>>> >>>> gee, thank you. :-) >>>> >>>> Are you otherwise fine with this patch? >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> >>>> >>>>> Hello, >>>>> >>>>> The pointer: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/installer/hw.c;h=12f8e793de49b65afb4d271f10d6d7717e8a8145;hb=HEAD#l1125 >>>>> >>>>> -Michael >>>>> >>>>>> On 13 Jul 2022, at 20:48, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>>>> >>>>>> Hello *, >>>>>> >>>>>> additionally, we need to ensure /boot mount options are already written with these flags >>>>>> into /etc/fstab on new installations. For flash-images, this is already done in C169, but >>>>>> I have yet to investigate where to change things for the ISO files. >>>>>> >>>>>> Any hints would be appreciated. :-) >>>>>> >>>>>> Thanks, and best regards, >>>>>> Peter Müller >>>>>> >>>>>> >>>>>>> The second version of this patch uses @ instead of / for sed delimiters, >>>>>>> which makes the command less hard to read. Since Core Update 170 already >>>>>>> requires a reboot at this point, the respective directive is omitted. >>>>>>> >>>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>>>>> --- >>>>>>> config/rootfiles/core/170/update.sh | 3 +++ >>>>>>> 1 file changed, 3 insertions(+) >>>>>>> >>>>>>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >>>>>>> index 7dde03060..78a4709bc 100644 >>>>>>> --- a/config/rootfiles/core/170/update.sh >>>>>>> +++ b/config/rootfiles/core/170/update.sh >>>>>>> @@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist >>>>>>> # Start services >>>>>>> /etc/init.d/rc.d/unbound start >>>>>>> >>>>>>> +# Harden mount options of /boot >>>>>>> +sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot auto defaults,nodev,noexec,nosuid @g" /etc/fstab >>>>>>> + >>>>>>> # This update needs a reboot... >>>>>>> touch /var/run/need_reboot >>>>>>> >>>>> >>> ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-07-28 19:41 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-13 19:46 [PATCH v2] Core Update 170: Harden mount options of /boot on existing installations Peter Müller 2022-07-13 19:48 ` Peter Müller 2022-07-14 9:34 ` Michael Tremer 2022-07-14 10:15 ` Peter Müller 2022-07-14 10:17 ` Michael Tremer 2022-07-14 10:19 ` Peter Müller 2022-07-28 13:29 ` Peter Müller 2022-07-28 19:41 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox