From 9b4744701f46d02473bf3f6ee02bebe4bc276329 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonard=20G=C3=B6hrs?= Date: Tue, 12 Nov 2024 07:48:46 +0100 Subject: [PATCH] meta-lxatac-software: distro: tacos: make /srv on the rootfs read-only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We do not want any service to write to /srv (in the root filesystem) before the /srv partition is set up and mounted. Make the directory read only to make sure of that. Signed-off-by: Leonard Göhrs --- meta-lxatac-software/conf/distro/tacos.conf | 4 ++++ meta-lxatac-software/files/fs-perms-srv-ro.txt | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 meta-lxatac-software/files/fs-perms-srv-ro.txt diff --git a/meta-lxatac-software/conf/distro/tacos.conf b/meta-lxatac-software/conf/distro/tacos.conf index 4f1ee5a0..5fdb7830 100644 --- a/meta-lxatac-software/conf/distro/tacos.conf +++ b/meta-lxatac-software/conf/distro/tacos.conf @@ -40,6 +40,10 @@ USERADD_ERROR_DYNAMIC = "error" USERADD_UID_TABLES = "files/passwd" USERADD_GID_TABLES = "files/group" +# Mark /srv in the root filesystem as read only to prevent anyone from writing +# to it before the /srv partition is mounted. +FILESYSTEM_PERMS_TABLES += "files/fs-perms-srv-ro.txt" + # do not include libc variant name in tmp directory TCLIBCAPPEND = "" diff --git a/meta-lxatac-software/files/fs-perms-srv-ro.txt b/meta-lxatac-software/files/fs-perms-srv-ro.txt new file mode 100644 index 00000000..e9763075 --- /dev/null +++ b/meta-lxatac-software/files/fs-perms-srv-ro.txt @@ -0,0 +1,5 @@ +# This matches the original fs-perms.txt. +# The only difference is that write permissions for the owner were removed +# (0755 -> 0555) to prevent anyone from writing to the rootfs /srv instead of +# the /srv partition. +/srv 0555 root root false - - -