FS#63118 - [arch-install-scripts] genfstab supports /dev/disk/by-path for source identifiers
Attached to Project:
Arch Linux
Opened by dou4cc (dou4cc) - Sunday, 07 July 2019, 23:34 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 22 February 2020, 22:27 GMT
Opened by dou4cc (dou4cc) - Sunday, 07 July 2019, 23:34 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 22 February 2020, 22:27 GMT
|
Details
when not all devices plugged on PC are trustable, UUID
cannot be ensured unique.
|
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 22 February 2020, 22:27 GMT
Reason for closing: Won't implement
Additional comments about closing: genfstab doesn't need to support everything, and nothing stops you from editing the generated fstab or not using the tool at all.
Saturday, 22 February 2020, 22:27 GMT
Reason for closing: Won't implement
Additional comments about closing: genfstab doesn't need to support everything, and nothing stops you from editing the generated fstab or not using the tool at all.
What is wrong with uuids, how is using /dev/disk/by-path supposed to solve it, and what is your proposal to get that information in an automated manner?
Note that genfstab already supports any lsblk -o TYPE column as the specifier.
Therefore he'd like to have FS mounted from fstab using the device path ("/dev/disk/by-path/pci-0000:00:12.3-ata-4-part5") etc.
The problem with this (leaving aside any discussion about implications of such attack) is that afaics fstab doesn't support that syntax to begin with (so pointless in genfstab), so instead of fstab you'd have to write some static systemd mount units.
genfstab is not a tool for protecting against some malicious attacker who is sitting in front of your computer plugging in untrusted hardware devices. My suggestion would be to look for the culprit in a mirror! Regardless, anyone who is seriously worried about this sort of attack vector is fully capable of rewriting their fstab by hand to reference udev-dependent paths. I don't see what utility genfstab would gain by adding such an option though.
Am I still missing something? @dou4cc?
> genfstab is not a tool for protecting against some malicious attacker who is sitting in front of your computer plugging in untrusted hardware devices.
in my opinion, booting PC with untrustable flash disk plugged on should be a common, safe practise.
> Oops -- look at that untrusted boot device running malicious code.
well, boot device has to be assumed trustable anyway.
If you want to protect against rando USB devices, then use usbguard. If you still really want to try using by-path in fstab, then do that. I really don't think genfstab needs to support this niche.