Project

General

Profile

Bug #5518

Make the system disk read-only

Added by Tails about 6 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
09/11/2013
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

(Redirected from writable system disk: belongs to floppy group)

The problem

In short: the system USB disk and partition block devices (e.g. /dev/sdb*) are writable by the default Live user, because they belong to the floppy group.

This was fixed in Tails 0.12 (see config/chroot_local_includes/lib/live/config/998-permissions) but the bug has since reappeared so the bug is now reopened. Our udev packages hasn't been updated since, but perhaps the udev init script runs (or re-runs?) after live-config wheras it previously only ran before?

Roadmap

This is being discussed in the Help needed with branch bugfix/writable_boot_media thread on tails-dev.

  1. Fix write access to boot medium via udisks.
    1. Improve the the boot device has safe access rights step in features/usb_install.feature of the automated test suite to take this kind of write access into account.
    2. We've got a solution based on bilibop implemented in bugfix/safer-persistence, but it relies on UDISKS_SYSTEM_INTERNAL that exists in Wheezy, but not in Squeeze. So, let's wait for Tails to be based on Wheezy.
    3. Research potential consequences on:
      • tails-persistence-setup
      • incremental updates

Done

  1. Fix write access to boot medium at the block device level (Debian bug #645466):
    1. Review and merge feature/bilibop.
    2. Re-enable the the boot device has safe access rights step in features/usb_install.feature of the automated test suite.

We'll use bilibop: it's potential usefulness for Tails was discussed on the ITP and RFS bugs.

Our feature/bilibop branch installs bilibop-udev (0.4.11~quidame). It works fine and makes the "the boot device has safe access rights" test pass.

This part is pending for Tails 0.19.

Older notes

This is being discussed in the Help needed with branch bugfix/writable_boot_media thread on tails-dev.

Another solution, was considered: home-made udev rules. See branch bugfix/writable_boot_media for a new fix using udev.

First review done, a bit more code is needed.


Subtasks

Bug #6172: Fix write access to boot medium via udisksResolved

Feature #6274: Research consequences of the boot device being seen as system internal by udisksResolvedintrigeri

Feature #7005: Test incremental upgrades on WheezyResolvedintrigeri

Feature #7006: Check if we document how to modify the current Tails boot device with GNOME DisksResolvedintrigeri

Feature #6275: Automatically test write access to the boot block device via udisksResolved

History

#1 Updated by intrigeri about 6 years ago

  • Tracker changed from Feature to Bug

#2 Updated by intrigeri about 6 years ago

  • Type of work changed from Wait to Code

#3 Updated by intrigeri over 5 years ago

  • Assignee set to intrigeri
  • Starter set to No

#4 Updated by intrigeri over 5 years ago

  • Subject changed from make system disk read-only to Make the system disk read-only

#5 Updated by intrigeri over 5 years ago

  • Status changed from Confirmed to In Progress

#6 Updated by intrigeri over 5 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • Target version set to Tails_1.1

My results on #6275 and other subtasks confirm that this is indeed fixed on Tails/Wheezy, finally.

#7 Updated by BitingBird about 5 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF