[systemd-devel] [PATCH 1/2] kernel-install: avoid using 'cp --preserve'

Kay Sievers kay at vrfy.org
Wed Sep 25 18:09:20 PDT 2013


On Thu, Sep 26, 2013 at 2:50 AM, Sébastien Luttringer <seblu at seblu.net> wrote:
> On Thu, Sep 26, 2013 at 1:45 AM, Kay Sievers <kay at vrfy.org> wrote:

>>> On non UEFI systems, world readable rights set by kernel-install matter.
>>
>> Why would that matter?
> On non UEFI system your boot partition (when there is one) is almost
> _never_ FAT. It's a "decent"  FS like ext{2,3,4} or anything that
> handle group and other permissions.

Ah, sorry, with "matter" you meant they would be used. I read it as
you were saying the permissions would actually matter during bootup.
:)

>>>> If people want special permissions, they can always drop-in their own
>>>> install.d/ callout to mangle them.
>>> This means maintain it's own generator,
>>
>> It's not a generator, they are different things in systemd. It would
>> just be a /usr/lib/kernel/install.d/*.install snippet.
> Yes it's a mistake, I realized too late, sorry.
> But, the meaning is the same, copy the
> /usr/lib/kernel/install.d/90-loaderentry.install into /etc and keep
> track of upgrades of the original file to only edit perms is waste of
> time.

No need to track, it would be more like
/etc/kernel/install.d/99-my-custom-stuff.install

> What it make me bug is the message : Enforce root read only for /boot.
> To be coherent, this should also apply to directories  and files in /boot.
> Thus, others *.install files will be inspired by what the default
> systemd scripts does.
> As a consequence, initrd hooks will make my initrd not readable. We
> can avoid that with a sane default here.

Yeah, it sounds right to restrict access with the mount options of
/boot and not with the file permissions inside it.

We actually do not want by default that ordinary users are able to
read the initrd or the boot loader config, as they can contain
passwords or other sensitive data.

Kay


More information about the systemd-devel mailing list