[Bug 1881006] Re: Incorrect ESP mount options
Gauthier Jolly
1881006 at bugs.launchpad.net
Wed Mar 17 16:25:29 UTC 2021
** Description changed:
+ [Impact]
+
+ * For the affected images`, the ESP is currently mounted with default
+ (0755) permissions. This means anyone can read the ESP partition. This
+ can cause security issues as sensitive data might be put in this
+ partition[0]
+
+ [Test Plan]
+
+ * Build an uefi image from the ubuntu-cpc project in livecd-rootfs
+
+ * Launch in KVM
+
+ * Check `/etc/fstab` content
+
+ * Check that mount options are reflected in 'mount' command output
+
+ * Ensure a non-root user can not access /boot/efi
+
+ [Where problems could occur]
+
+ * Some users can have automation in place change the mount options.
+ This change might break their automation. However, because this change
+ is only related to the ESP partition, I don't think a lot of users would
+ want to change the default settings.
+
+ * All use cases requiring non-root user to read from this file system
+ will be broken. However, given the content of this filesystem, this
+ scenario is unlikely and the security benefits should justify this risk.
+
+ [original description]
+
Previously we decided that ESP should be mounted with umask=0077
See
https://git.launchpad.net/ubuntu/+source/partman-
efi/commit/fstab.d/efi?id=b141ba7648e66ae80eb58d26d40dd717cfee1904
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033
https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
This is also documented in https://wiki.ubuntu.com/FSTAB
However, in GCE instance /boot/efi is not mounted with umask=0077
fstab is:
LABEL=cloudimg-rootfs / ext4 defaults 0 0
LABEL=UEFI /boot/efi vfat defaults 0 0
And in mount options are:
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
fstab should be fixed to specify "umask=0077" instead of "defaults" for
the ESP partition
also zsys setup in ubiquity does weird explicit
umask=0022,fmask=0022,dmask=0022 which are the defaults anyway, not sure
where that got those options from.
systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP
mount
I think subiquity is affected, as it does not set "options:
'umask=0077'" on the /boot/efi mount in the storage specification.
+
+ [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
** Description changed:
[Impact]
- * For the affected images`, the ESP is currently mounted with default
+ * For the affected images, the ESP is currently mounted with default
(0755) permissions. This means anyone can read the ESP partition. This
can cause security issues as sensitive data might be put in this
partition[0]
[Test Plan]
- * Build an uefi image from the ubuntu-cpc project in livecd-rootfs
+ * Build an uefi image from the ubuntu-cpc project in livecd-rootfs
- * Launch in KVM
+ * Launch in KVM
- * Check `/etc/fstab` content
+ * Check `/etc/fstab` content
- * Check that mount options are reflected in 'mount' command output
+ * Check that mount options are reflected in 'mount' command output
- * Ensure a non-root user can not access /boot/efi
+ * Ensure a non-root user can not access /boot/efi
[Where problems could occur]
- * Some users can have automation in place change the mount options.
+ * Some users can have automation in place change the mount options.
This change might break their automation. However, because this change
is only related to the ESP partition, I don't think a lot of users would
want to change the default settings.
- * All use cases requiring non-root user to read from this file system
+ * All use cases requiring non-root user to read from this file system
will be broken. However, given the content of this filesystem, this
scenario is unlikely and the security benefits should justify this risk.
[original description]
Previously we decided that ESP should be mounted with umask=0077
See
https://git.launchpad.net/ubuntu/+source/partman-
efi/commit/fstab.d/efi?id=b141ba7648e66ae80eb58d26d40dd717cfee1904
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033
https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
This is also documented in https://wiki.ubuntu.com/FSTAB
However, in GCE instance /boot/efi is not mounted with umask=0077
fstab is:
LABEL=cloudimg-rootfs / ext4 defaults 0 0
LABEL=UEFI /boot/efi vfat defaults 0 0
And in mount options are:
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
fstab should be fixed to specify "umask=0077" instead of "defaults" for
the ESP partition
also zsys setup in ubiquity does weird explicit
umask=0022,fmask=0022,dmask=0022 which are the defaults anyway, not sure
where that got those options from.
systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP
mount
I think subiquity is affected, as it does not set "options:
'umask=0077'" on the /boot/efi mount in the storage specification.
[0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1881006
Title:
Incorrect ESP mount options
Status in cloud-images:
New
Status in subiquity:
New
Status in grub2 package in Ubuntu:
New
Status in livecd-rootfs package in Ubuntu:
Fix Released
Status in ubiquity package in Ubuntu:
New
Bug description:
[Impact]
* For the affected images, the ESP is currently mounted with default
(0755) permissions. This means anyone can read the ESP partition. This
can cause security issues as sensitive data might be put in this
partition[0]
[Test Plan]
* Build an uefi image from the ubuntu-cpc project in livecd-rootfs
* Launch in KVM
* Check `/etc/fstab` content
* Check that mount options are reflected in 'mount' command output
* Ensure a non-root user can not access /boot/efi
[Where problems could occur]
* Some users can have automation in place change the mount options.
This change might break their automation. However, because this change
is only related to the ESP partition, I don't think a lot of users
would want to change the default settings.
* All use cases requiring non-root user to read from this file system
will be broken. However, given the content of this filesystem, this
scenario is unlikely and the security benefits should justify this
risk.
[original description]
Previously we decided that ESP should be mounted with umask=0077
See
https://git.launchpad.net/ubuntu/+source/partman-
efi/commit/fstab.d/efi?id=b141ba7648e66ae80eb58d26d40dd717cfee1904
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033
https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
This is also documented in https://wiki.ubuntu.com/FSTAB
However, in GCE instance /boot/efi is not mounted with umask=0077
fstab is:
LABEL=cloudimg-rootfs / ext4 defaults 0 0
LABEL=UEFI /boot/efi vfat defaults 0 0
And in mount options are:
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
fstab should be fixed to specify "umask=0077" instead of "defaults"
for the ESP partition
also zsys setup in ubiquity does weird explicit
umask=0022,fmask=0022,dmask=0022 which are the defaults anyway, not
sure where that got those options from.
systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP
mount
I think subiquity is affected, as it does not set "options:
'umask=0077'" on the /boot/efi mount in the storage specification.
[0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1881006/+subscriptions
More information about the foundations-bugs
mailing list