Incorrect ESP mount options
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
New
|
Undecided
|
Unassigned | ||
subiquity |
New
|
Undecided
|
Unassigned | ||
grub2 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
livecd-rootfs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
ubiquity (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* For the affected images, the ESP is currently mounted with default (0755) permissions. This means anyone can read the ESP partition. This can cause security issues as sensitive data might be put in this partition[0]
[Test Plan]
* Build an uefi image from the ubuntu-cpc project in livecd-rootfs
* Launch in KVM
* Check `/etc/fstab` content
* Check that mount options are reflected in 'mount' command output
* Ensure a non-root user can not access /boot/efi
[Where problems could occur]
* Some users can have automation in place change the mount options. This change might break their automation. However, because this change is only related to the ESP partition, I don't think a lot of users would want to change the default settings.
* All use cases requiring non-root user to read from this file system will be broken. However, given the content of this filesystem, this scenario is unlikely and the security benefits should justify this risk.
[original description]
Previously we decided that ESP should be mounted with umask=0077
See
https:/
https:/
This is also documented in https:/
However, in GCE instance /boot/efi is not mounted with umask=0077
fstab is:
LABEL=cloudimg-
LABEL=UEFI /boot/efi vfat defaults 0 0
And in mount options are:
(rw,relatime,
fstab should be fixed to specify "umask=0077" instead of "defaults" for the ESP partition
also zsys setup in ubiquity does weird explicit umask=0022,
systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP mount
I think subiquity is affected, as it does not set "options: 'umask=0077'" on the /boot/efi mount in the storage specification.
[0] https:/
Related branches
- Robert C Jennings (community): Approve
-
Diff: 29 lines (+10/-1)2 files modifieddebian/changelog (+9/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+1/-1)
- Robert C Jennings (community): Approve
-
Diff: 29 lines (+10/-1)2 files modifieddebian/changelog (+9/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+1/-1)
- Robert C Jennings (community): Approve
-
Diff: 29 lines (+10/-1)2 files modifieddebian/changelog (+9/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+1/-1)
- Robert C Jennings (community): Approve
-
Diff: 29 lines (+10/-1)2 files modifieddebian/changelog (+9/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+1/-1)
- Robert C Jennings: Pending requested
-
Diff: 109 lines (+48/-19) (has conflicts)2 files modifieddebian/changelog (+44/-19)
live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot (+4/-0)
- Robert C Jennings (community): Approve
- Ubuntu Core Development Team: Pending requested
-
Diff: 41 lines (+9/-2)3 files modifieddebian/changelog (+7/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+1/-1)
live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot (+1/-1)
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: easy |
information type: | Private Security → Public Security |
description: | updated |
description: | updated |
tags: |
added: verification-done-focal verification-done-groovy verification-done-xenial removed: verification-needed-focal verification-needed-groovy verification-needed-xenial |
> Previously we decided that ESP should be mounted with umask=0077
I don't agree that this was ever a decision we consciously made; the previous bug report never mentioned what umask we would change it to, it only says that world-writable is incorrect.
But I think that files on the ESP should be world-readable by default, so umask=0077 is also wrong.
The ideal settings for this vfat filesystem would be dmask=0022, fmask=0133 for traversable directories and files that are world-readable but executable by no one.