FS#63118 - [arch-install-scripts] genfstab supports /dev/disk/by-path for source identifiers

Attached to Project: Arch Linux
Opened by dou4cc (dou4cc) - Sunday, 07 July 2019, 23:34 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 22 February 2020, 22:27 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

when not all devices plugged on PC are trustable, UUID cannot be ensured unique.
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 22 February 2020, 22:27 GMT
Reason for closing:  Won't implement
Additional comments about closing:  genfstab doesn't need to support everything, and nothing stops you from editing the generated fstab or not using the tool at all.
Comment by dou4cc (dou4cc) - Sunday, 07 July 2019, 23:42 GMT
go to https://bugs.archlinux.org/task/63119.
Comment by dou4cc (dou4cc) - Sunday, 07 July 2019, 23:45 GMT
unable to edit task's title or main body?
Comment by dou4cc (dou4cc) - Monday, 08 July 2019, 00:18 GMT
replaced with https://bugs.archlinux.org/task/63120.
Comment by Eli Schwartz (eschwartz) - Monday, 08 July 2019, 01:10 GMT
  • Field changed: Summary (genfstab supports /dev/disk/by-path for source identifiers → {arch-install-scripts} genfstab supports /dev/disk/by-path for source identifiers)
  • Field changed: Category (Packages: Extra → Arch Projects)
Don't submit the same bug three times, we can fix the title of this one -- but the duplicate bug records are there forever.
Comment by Eli Schwartz (eschwartz) - Monday, 08 July 2019, 01:24 GMT
Despite your submitting the bug three times, I'm still not sure exactly what you want. Each time you said the exact same thing.

What is wrong with uuids, how is using /dev/disk/by-path supposed to solve it, and what is your proposal to get that information in an automated manner?

Note that genfstab already supports any lsblk -o TYPE column as the specifier.
Comment by Thomas Lübking (luebking) - Monday, 08 July 2019, 06:52 GMT
His concern seems to be that a malicious device could offer an intentional UUID collision (easily done, you can just set the FS UUID at generation) and thus you'd end up mounting the wrong device (at random)
Therefore he'd like to have FS mounted from fstab using the device path ("/dev/disk/by-path/pci-0000:00:12.3-ata-4-part5") etc.

The problem with this (leaving aside any discussion about implications of such attack) is that afaics fstab doesn't support that syntax to begin with (so pointless in genfstab), so instead of fstab you'd have to write some static systemd mount units.
Comment by Eli Schwartz (eschwartz) - Monday, 08 July 2019, 07:42 GMT
fstab supports using the actual description "/dev/disk/by-*" -- of course that relied on having something to set up such symlinks. Oops -- look at that untrusted boot device running malicious code.

genfstab is not a tool for protecting against some malicious attacker who is sitting in front of your computer plugging in untrusted hardware devices. My suggestion would be to look for the culprit in a mirror! Regardless, anyone who is seriously worried about this sort of attack vector is fully capable of rewriting their fstab by hand to reference udev-dependent paths. I don't see what utility genfstab would gain by adding such an option though.

Am I still missing something? @dou4cc?
Comment by dou4cc (dou4cc) - Monday, 08 July 2019, 10:49 GMT
sorry for shitposting.

> genfstab is not a tool for protecting against some malicious attacker who is sitting in front of your computer plugging in untrusted hardware devices.

in my opinion, booting PC with untrustable flash disk plugged on should be a common, safe practise.

> Oops -- look at that untrusted boot device running malicious code.

well, boot device has to be assumed trustable anyway.
Comment by dou4cc (dou4cc) - Monday, 08 July 2019, 10:51 GMT
s/plugged on/plugged in/g
Comment by Dave Reisner (falconindy) - Monday, 08 July 2019, 10:55 GMT
path-based addressing isn't stable. Your BIOS is free to reorder these things however it wants, and may do so on every bootup. While this works for *your* use case, it will not work for every use case.

If you want to protect against rando USB devices, then use usbguard. If you still really want to try using by-path in fstab, then do that. I really don't think genfstab needs to support this niche.

Loading...