Re: fstab issue in generated images

To: Thorsten Glaser <tg@debian.org>
Cc: debian-cloud@lists.debian.org
Subject: Re: fstab issue in generated images
From: Noah Meyerhans <noahm@debian.org>
Date: Mon, 11 Nov 2024 13:12:06 -0500
Message-id: <[🔎] ZzJI9glYJUJxVLg_@doom.morgul.net>
In-reply-to: <4f22d219-1faf-831c-32ed-6bff9af3a200@debian.org>
References: <4f22d219-1faf-831c-32ed-6bff9af3a200@debian.org>

On Sat, Oct 26, 2024 at 11:23:39PM +0200, Thorsten Glaser wrote:
> PARTUUID=104ec3d3-7bc6-4ce4-be38-166f672601ec /boot/efi vfat defaults 0 0
> 
> This ensures that, if the VM isn’t shut down cleanly just once,
> it refuses to function at all.
> 
> Please set the pass field to 2.

We'll need to install dosfstools in the images, too, for that to matter.

While we're at it, we should ensure that we're mounting /boot/efi with
more restrictive permissions, as there may be sensitive information in
it.  bootctl warns about the current permissions:
⚠ Mount point '/boot/efi' which backs the random seed file is world accessible, which is a security hole! ⚠
⚠ Random seed file '/boot/efi/loader/random-seed' is world accessible, which is a security hole! ⚠

noah

Reply to:

Follow-Ups:
- Re: fstab issue in generated images
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Removing google-guest-agent from Debian?
Next by Date: Re: fstab issue in generated images
Previous by thread: Re: Removing google-guest-agent from Debian?
Next by thread: Re: fstab issue in generated images
Index(es):
- Date
- Thread