Re: Mounting EFI partition: default to `uid=0,gid=0`
Hi, On 09/11/2023 at 17:36, Danny van Heumen wrote: I recently discovered that `/boot/efi`, being a FAT parition, is mounted with an implicit owner and group, because FAT cannot store permissions. For the default use case, `/boot/efi` is mounted automatically during boot, so there is little risk. With diffirent mount options, this may become an issue. Was it ever considered to add `uid=0,gid=0` as default mount options for the EFI System Partition (ESP)? Which use cases would this be useful for ?
Re: Mounting EFI partition: default to `uid=0,gid=0`
Hi, Resending, as I forgot to reply to the list. Response in line. On Thursday, 9 November 2023 at 20:52, Pascal Hambourg wrote: > Hi, > > On 09/11/2023 at 17:36, Danny van Heumen wrote: > > > I recently discovered that `/boot/efi`, being a FAT parition, is mounted > > with an implicit owner and group, because FAT cannot store permissions. For > > the default use case, `/boot/efi` is mounted automatically during boot, so > > there is little risk. With diffirent mount options, this may become an > > issue. > > > > Was it ever considered to add `uid=0,gid=0` as default mount options for > > the EFI System Partition (ESP)? I would argue that this should be independent of use case, that is you would want to ensure the ESP is always accessed as root. (Same as for example the `umask=0077` setting that I think is already part of the install.) Apart from that, I was experimenting with having /boot not auto-mounted, but only mounted manually when performing system updates. > > Which use cases would this be useful for ?
Re: Mounting EFI partition: default to `uid=0,gid=0`
Hi, AFAICT, there was no follow-up to this. Does this mean that it is preferred that ownership is determined solely by the user who mounts the EFI partition? Regards, Danny On Friday, 10 November 2023 at 03:07, Danny van Heumen wrote: > > > Hi, > > Resending, as I forgot to reply to the list. Response in line. > > > On Thursday, 9 November 2023 at 20:52, Pascal Hambourg pas...@plouf.fr.eu.org > wrote: > > > Hi, > > > > On 09/11/2023 at 17:36, Danny van Heumen wrote: > > > > > I recently discovered that `/boot/efi`, being a FAT parition, is mounted > > > with an implicit owner and group, because FAT cannot store permissions. > > > For the default use case, `/boot/efi` is mounted automatically during > > > boot, so there is little risk. With diffirent mount options, this may > > > become an issue. > > > > > > Was it ever considered to add `uid=0,gid=0` as default mount options for > > > the EFI System Partition (ESP)? > > > I would argue that this should be independent of use case, that is you would > want to ensure the ESP is always accessed as root. (Same as for example the > `umask=0077` setting that I think is already part of the install.) > Apart from that, I was experimenting with having /boot not auto-mounted, but > only mounted manually when performing system updates. > > > Which use cases would this be useful for ?
Re: Mounting EFI partition: default to `uid=0,gid=0`
On Tue, Nov 21, 2023 at 03:16:42PM +, Danny van Heumen wrote: >Hi, > >AFAICT, there was no follow-up to this. Does this mean that it is >preferred that ownership is determined solely by the user who mounts >the EFI partition? In normal use, the EFI partition isn't mounted by a user. What are you trying to solve here? -- Steve McIntyre, Cambridge, UK.st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
Re: Mounting EFI partition: default to `uid=0,gid=0`
Hi, see in-line. Original Message On Nov 21, 2023, 4:59 PM, Steve McIntyre < st...@einval.com> wrote: On Tue, Nov 21, 2023 at 03:16:42PM +, Danny van Heumen wrote: >Hi, > >AFAICT, there was no follow-up to this. Does this mean that it is >preferred that ownership is determined solely by the user who mounts >the EFI partition? In normal use, the EFI partition isn't mounted by a user. What are you trying to solve here? I wanted to make the partition user-mountable such that I can mount it before upgrading packages. The partition would not be mounted by default. (`noauto,users`) Then I found out that it defaults to ownership of mounting users, which is not good. As I mentioned previously, I would argue that the ESP should always mount with owner 0, even if my use case/experiment itself is an outlier. I spotted my mistake, but was surprised by how owner is chosen (in such a case). Yes, even when using sudo this shouldn't be a problem, however the behavior does deviate from other filesystems which have their own permission bits therefore have "protection" (maybe a strong word) against this situation. -- Steve McIntyre, Cambridge, UK. st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
Re: Mounting EFI partition: default to `uid=0,gid=0`
[ Argh, please turn off the crappy auto-encryption with your protonmail setup. It's utterly pointless when discussion is going to a mailing list too... ] Hi Danny, On Tue, Nov 21, 2023 at 07:20:31PM +, Danny van Heumen wrote: >On Nov 21, 2023, 4:59 PM, Steve McIntyre < st...@einval.com> wrote: >>In normal use, the EFI partition isn't mounted by a user. What are >>you trying to solve here? > >I wanted to make the partition user-mountable such that I can mount >it before upgrading packages. The partition would not be mounted by >default. (\`noauto,users\`) Then I found out that it defaults to >ownership of mounting users, which is not good. > >As I mentioned previously, I would argue that the ESP should always >mount with owner 0, even if my use case/experiment itself is an >outlier. I spotted my mistake, but was surprised by how owner is >chosen (in such a case). > >Yes, even when using sudo this shouldn't be a problem, however the >behavior does deviate from other filesystems which have their own >permission bits therefore have "protection" (maybe a strong word) >against this situation. Debian's standard installation setup works here as expected. If you want to break that, then I think it's up to you to handle the consequences I'm afraid. You're *already* modified the fstab to do what you want, you get to make the other changes you want too. OK? -- Steve McIntyre, Cambridge, UK.st...@einval.com The two hard things in computing: * naming things * cache invalidation * off-by-one errors -- Stig Sandbeck Mathisen
Re: Mounting EFI partition: default to `uid=0,gid=0`
Hi, I will look into this setting. Thanks for pointing this out. Now, to rewind to the original question, because my use case distracts from my question: I noticed that the mount-configuration in `/etc/fstab`, by default, relies on an *implicit* assumption for the ownership of the ESP to /boot/efi, i.e. 'root' (uid 0) only because it is executed as part of the boot process. Is this intentional? (i.e. was this considered?) I am guessing the answer is 'yes', given that you immediately skip this and focus on pointing out my actions which helped to discover this assumption/implicit behavior. I will consider my question answered then. Kind regards, Danny On Tuesday, 21 November 2023 at 20:56, Steve McIntyre wrote: > > > [ Argh, please turn off the crappy auto-encryption with your > protonmail setup. It's utterly pointless when discussion is going to > a mailing list too... ] > > Hi Danny, > > On Tue, Nov 21, 2023 at 07:20:31PM +, Danny van Heumen wrote: > > > On Nov 21, 2023, 4:59 PM, Steve McIntyre < st...@einval.com> wrote: > > > > > In normal use, the EFI partition isn't mounted by a user. What are > > > you trying to solve here? > > > > I wanted to make the partition user-mountable such that I can mount > > it before upgrading packages. The partition would not be mounted by > > default. (\`noauto,users\\`) Then I found out that it defaults to > > ownership of mounting users, which is not good. > > > > As I mentioned previously, I would argue that the ESP should always > > mount with owner 0, even if my use case/experiment itself is an > > outlier. I spotted my mistake, but was surprised by how owner is > > chosen (in such a case). > > > > Yes, even when using sudo this shouldn't be a problem, however the > > behavior does deviate from other filesystems which have their own > > permission bits therefore have "protection" (maybe a strong word) > > against this situation. > > > Debian's standard installation setup works here as expected. If you > want to break that, then I think it's up to you to handle the > consequences I'm afraid. You're already modified the fstab to do > what you want, you get to make the other changes you want too. OK? > > -- > Steve McIntyre, Cambridge, UK. st...@einval.com > The two hard things in computing: > * naming things > * cache invalidation > * off-by-one errors -- Stig Sandbeck Mathisen
Re: Mounting EFI partition: default to `uid=0,gid=0`
On 21/11/2023 at 21:35, Danny van Heumen wrote: I noticed that the mount-configuration in `/etc/fstab`, by default, relies on an *implicit* assumption for the ownership of the ESP to /boot/efi, i.e. 'root' (uid 0) only because it is executed as part of the boot process. There is no implicit assumption. The default mount options set up by the installer command that the ESP is automatically mounted at startup, resulting in root ownership. There is no need to add uid and gid mount options. I agree with Steve: if *you* choose to change the default mount options with "noauto,users", *you* should deal with the consequences and add other mount options if needed. But I believe that your use case is wrong anyway: upgrading packages requires root privileges so mounting the ESP as a normal user should not be needed. Instead you may use dpkg's pre-invoke and post-invoke options or apt's Pre-Invoke and Post-Invoke options to mount and unmount the ESP, like what can be done to remount /usr read-write during package upgrades on systems where it is mounted read-only by default.
Re: Mounting EFI partition: default to `uid=0,gid=0`
On Tue, 21 Nov 2023 22:12:31 +0100 Pascal Hambourg wrote: I' m afraid I have to read much more about d-i Especially partitioning. But where to start? Ciao
Re: Mounting EFI partition: default to `uid=0,gid=0`
On 22/11/2023 at 00:54, y...@vienna.at wrote: I' m afraid I have to read much more about d-i Especially partitioning. But where to start? The debian-installer package contains some documentation (maybe incomplete and outdated) about partman, the d-i partitioning tool. But I do not see the relationship with this discussion. The script fstab.d/efi in installer udeb package partman-efi writes UUID=- /boot/efi vfat umask=0077 0 1 to the target /etc/fstab. It means that the ESP is automatically mounted at startup and cannot be mounted by a regular user, so the default ownership is root:root and there is no need to force uid=0,gid=0.