[Bug 1881006] Re: Incorrect ESP mount options

Brian Murray 1881006 at bugs.launchpad.net
Tue Apr 13 15:33:41 UTC 2021 

Hello Dimitri, or anyone else affected,

Accepted livecd-rootfs into groovy-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/livecd-
rootfs/2.694.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
groovy to verification-done-groovy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-groovy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: livecd-rootfs (Ubuntu Groovy)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-groovy

** Changed in: livecd-rootfs (Ubuntu Focal)
       Status: New => Fix Committed

** Tags added: verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1881006

Title:
  Incorrect ESP mount options

Status in cloud-images:
  New
Status in subiquity:
  New
Status in grub2 package in Ubuntu:
  New
Status in livecd-rootfs package in Ubuntu:
  Fix Released
Status in ubiquity package in Ubuntu:
  New
Status in livecd-rootfs source package in Bionic:
  Fix Committed
Status in livecd-rootfs source package in Focal:
  Fix Committed
Status in livecd-rootfs source package in Groovy:
  Fix Committed

Bug description:
  [Impact]

   * For the affected images, the ESP is currently mounted with default
  (0755) permissions. This means anyone can read the ESP partition. This
  can cause security issues as sensitive data might be put in this
  partition[0]

  [Test Plan]

   * Build an uefi image from the ubuntu-cpc project in livecd-rootfs

   * Launch in KVM

   * Check `/etc/fstab` content

   * Check that mount options are reflected in 'mount' command output

   * Ensure a non-root user can not access /boot/efi

  [Where problems could occur]

   * Some users can have automation in place change the mount options.
  This change might break their automation. However, because this change
  is only related to the ESP partition, I don't think a lot of users
  would want to change the default settings.

   * All use cases requiring non-root user to read from this file system
  will be broken. However, given the content of this filesystem, this
  scenario is unlikely and the security benefits should justify this
  risk.

  [original description]

  Previously we decided that ESP should be mounted with umask=0077

  See

  https://git.launchpad.net/ubuntu/+source/partman-
  efi/commit/fstab.d/efi?id=b141ba7648e66ae80eb58d26d40dd717cfee1904

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033

  https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183

  This is also documented in https://wiki.ubuntu.com/FSTAB

  However, in GCE instance /boot/efi is not mounted with umask=0077
  fstab is:

  LABEL=cloudimg-rootfs   /        ext4   defaults        0 0
  LABEL=UEFI      /boot/efi       vfat    defaults        0 0

  And in mount options are:
  (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

  fstab should be fixed to specify "umask=0077" instead of "defaults"
  for the ESP partition

  also zsys setup in ubiquity does weird explicit
  umask=0022,fmask=0022,dmask=0022 which are the defaults anyway, not
  sure where that got those options from.

  systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP
  mount

  I think subiquity is affected, as it does not set "options:
  'umask=0077'" on the /boot/efi mount in the storage specification.

  [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1881006/+subscriptions

More information about the foundations-bugs mailing list