diskimage-builder

Add nodev, nosuid, and noexec options to fstab

Bug #1664924 reported by Luke Hinds on 2017-02-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	diskimage-builder	Fix Released	Undecided	Yolanda Robla

Bug Description

nodev, nosuid, and noexec are fstab options/(flags?) that can improve security of partitions.

rational for each option:

The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.

The nosuid mount option can be used to prevent execution of setuid programs from partitions such as temp.

Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.The noexec mount option can be used to prevent binaries from being executed out of /tmp

Each of the above is also requirement in security compliance governance bodies, such as CIS, DISA-STIG etc.

It would be ideal if config directives are present in diskimage-builder, to allow an operator to set those values during image building.

Further reading:

http://hashdump.org/wiki/linux/hardening/partitions.html

https://wiki.centos.org/HowTos/OS_Protection#head-7e30c59c22152e9808c2e0b95ceec1382456d35c

Tags:

Andreas Florath (ansreas) on 2017-02-19

Changed in diskimage-builder:
assignee:	nobody → Andreas Florath (ansreas)
status:	New → In Progress

Revision history for this message

Andreas Florath (ansreas) wrote on 2017-02-19:

The latest patch of [1] includes the possibility to define options for fstab, like:

- partitioning:
    base: image0
    label: mbr
    partitions:
      - name: home
        size: 100M
        mkfs:
          type: xfs
          uuid: b96d9c0d-e813-4502-90a6-94ca91f2f4da
          mount:
            mount_point: /home
            fstab:
              options: nodev,nosuid
              fsck-passno: 2

Note: it is currently marked as WIP because it is based on the DIB V2 branch which hopefully will be released in the next few days.

[1] https://review.openstack.org/#/c/426618/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-10: Fix proposed to diskimage-builder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/444118

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Yolanda Robla (yolanda.robla)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-10: Change abandoned on diskimage-builder (master)

Change abandoned by yolanda.robla (<email address hidden>) on branch: master
Review: https://review.openstack.org/444118

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-11: Fix proposed to diskimage-builder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/444586

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Andreas Florath (ansreas)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-11: Change abandoned on diskimage-builder (feature/v2)

Change abandoned by Andreas Florath (<email address hidden>) on branch: feature/v2
Review: https://review.openstack.org/426618

Revision history for this message

Andreas Florath (ansreas) wrote on 2017-03-11:

Sorry for the spam generated while moving the patch from the feature/v2 branch to the master branch; the patch to go for is now: https://review.openstack.org/444586

OpenStack Infra (hudson-openstack) on 2017-03-23

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-03-23

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Andreas Florath (ansreas)

OpenStack Infra (hudson-openstack) on 2017-03-24

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-03-25

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Andreas Florath (ansreas)

OpenStack Infra (hudson-openstack) on 2017-05-04

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-05-06

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Andreas Florath (ansreas)

OpenStack Infra (hudson-openstack) on 2017-05-08

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-05-09

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Ian Wienand (iwienand)

OpenStack Infra (hudson-openstack) on 2017-05-10

Changed in diskimage-builder:
assignee:	Ian Wienand (iwienand) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-05-10

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Andreas Florath (ansreas)

OpenStack Infra (hudson-openstack) on 2017-05-10

Changed in diskimage-builder:
assignee:	Andreas Florath (ansreas) → Ian Wienand (iwienand)

OpenStack Infra (hudson-openstack) on 2017-05-11

Changed in diskimage-builder:
assignee:	Ian Wienand (iwienand) → Yolanda Robla (yolanda.robla)

OpenStack Infra (hudson-openstack) on 2017-05-11

Changed in diskimage-builder:
assignee:	Yolanda Robla (yolanda.robla) → Ian Wienand (iwienand)

OpenStack Infra (hudson-openstack) on 2017-05-12

Changed in diskimage-builder:
assignee:	Ian Wienand (iwienand) → Yolanda Robla (yolanda.robla)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-12: Fix merged to diskimage-builder (master)

Reviewed: https://review.openstack.org/444586
Committed: https://git.openstack.org/cgit/openstack/diskimage-builder/commit/?id=e4e23897a13a3f3b9d28cc8d288990ab0fcc5b92
Submitter: Jenkins
Branch: master

commit e4e23897a13a3f3b9d28cc8d288990ab0fcc5b92
Author: Andreas Florath <email address hidden>
Date: Sun Jan 29 23:52:40 2017 +0000

Refactor: block-device filesystem creation, mount and fstab

    This patch finalizes the block device refactoring. It moves the three
    remaining levels (filesystem creation, mount and fstab handling) into
    the new python module.

Now it is possible to use any number of disk images, any number of
partitions and used them mounted to different directories.

Notes:

     * unmount_dir : modified to only unmount the subdirs mounted by
       mount_proc_sys_dev(). dib-block-device unmounts
       $TMP_MOUNT_PATH/mnt (see I85e01f3898d3c043071de5fad82307cb091a64a9)

    Change-Id: I592c0b1329409307197460cfa8fd69798013f1f8
    Signed-off-by: Andreas Florath <email address hidden>
    Closes-Bug: #1664924

Changed in diskimage-builder:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.