Dracut and root filesystem UUIDs

Dracut and root filesystem UUIDs

[Alastair Scobie]

Apologies if this is the incorrect mailing list to discuss this issue..

Does anyone know if there is a way to configure dracut such that
it will not attempt to mount USB mass-storage devices at boot time,
but will still allow mounting of such devices once a system (in our
case ScientifcLinux6) is fully booted?

Why do we want to do this? We run several large teaching labs running
SL6 desktops. We mount filesystems by UUID. We are concerned that our
students could install a USB memory stick, at boot time, with a
filesystem with the same UUID as the "official" root filesystem so
fooling dracut into mounting a trojan filesystem.

Thanks, in advance, for any ideas..

Alastair Scobie


-- 
Alastair Scobie
Head of Computing, School of Informatics, University of Edinburgh

10 Crichton Street, Edinburgh, Scotland, EH8 9AB
Mail: ascobie-5WhEfG1TI8k@public.gmane.org   Voice: 0131 650 5178


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Dracut and root filesystem UUIDs

[Harald Hoyer]

On 13.01.2012 12:55, Alastair Scobie wrote:
> Apologies if this is the incorrect mailing list to discuss this issue..
> 
> Does anyone know if there is a way to configure dracut such that
> it will not attempt to mount USB mass-storage devices at boot time,
> but will still allow mounting of such devices once a system (in our
> case ScientifcLinux6) is fully booted?
> 
> Why do we want to do this? We run several large teaching labs running
> SL6 desktops. We mount filesystems by UUID. We are concerned that our
> students could install a USB memory stick, at boot time, with a
> filesystem with the same UUID as the "official" root filesystem so
> fooling dracut into mounting a trojan filesystem.
> 
> Thanks, in advance, for any ideas..
> 
> Alastair Scobie
> 
> 

specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you
also want to secure grub (or any other bootloader) with a password.

Re: Dracut and root filesystem UUIDs

[Harald Hoyer]

On 13.01.2012 15:06, Harald Hoyer wrote:
> On 13.01.2012 12:55, Alastair Scobie wrote:
>> Apologies if this is the incorrect mailing list to discuss this issue..
>>
>> Does anyone know if there is a way to configure dracut such that
>> it will not attempt to mount USB mass-storage devices at boot time,
>> but will still allow mounting of such devices once a system (in our
>> case ScientifcLinux6) is fully booted?
>>
>> Why do we want to do this? We run several large teaching labs running
>> SL6 desktops. We mount filesystems by UUID. We are concerned that our
>> students could install a USB memory stick, at boot time, with a
>> filesystem with the same UUID as the "official" root filesystem so
>> fooling dracut into mounting a trojan filesystem.
>>
>> Thanks, in advance, for any ideas..
>>
>> Alastair Scobie
>>
>>
> 
> specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you
> also want to secure grub (or any other bootloader) with a password.

Ah, sorry, only read half of it. You might want to blacklist the USB storage
kernel driver then.

"rd.driver.blacklist=usb-storage"

or choose one of the by-path symlinks with e.g.
"root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1"

Re: Dracut and root filesystem UUIDs

[Alastair Scobie]

On 13/01/2012 14:09, Harald Hoyer wrote:
> On 13.01.2012 15:06, Harald Hoyer wrote:
>> On 13.01.2012 12:55, Alastair Scobie wrote:
>>> Apologies if this is the incorrect mailing list to discuss this issue..
>>>
>>> Does anyone know if there is a way to configure dracut such that
>>> it will not attempt to mount USB mass-storage devices at boot time,
>>> but will still allow mounting of such devices once a system (in our
>>> case ScientifcLinux6) is fully booted?
>>>
>>> Why do we want to do this? We run several large teaching labs running
>>> SL6 desktops. We mount filesystems by UUID. We are concerned that our
>>> students could install a USB memory stick, at boot time, with a
>>> filesystem with the same UUID as the "official" root filesystem so
>>> fooling dracut into mounting a trojan filesystem.
>>>
>>> Thanks, in advance, for any ideas..
>>>
>>> Alastair Scobie
>>>
>>>
>>
>> specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you
>> also want to secure grub (or any other bootloader) with a password.
> 
> Ah, sorry, only read half of it. You might want to blacklist the USB storage
> kernel driver then.
> 
> "rd.driver.blacklist=usb-storage"

Would that blacklist apply only during dracut - would the usb-storage
module still be loadable if a user inserted a USB stick after login? ...

> or choose one of the by-path symlinks with e.g.
> "root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1"

... otherwise, this looks like the best approach.

Thanks





-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Dracut and root filesystem UUIDs

[Harald Hoyer]

On 13.01.2012 15:24, Alastair Scobie wrote:
> On 13/01/2012 14:09, Harald Hoyer wrote:
>> On 13.01.2012 15:06, Harald Hoyer wrote:
>>> On 13.01.2012 12:55, Alastair Scobie wrote:
>>>> Apologies if this is the incorrect mailing list to discuss this issue..
>>>>
>>>> Does anyone know if there is a way to configure dracut such that
>>>> it will not attempt to mount USB mass-storage devices at boot time,
>>>> but will still allow mounting of such devices once a system (in our
>>>> case ScientifcLinux6) is fully booted?
>>>>
>>>> Why do we want to do this? We run several large teaching labs running
>>>> SL6 desktops. We mount filesystems by UUID. We are concerned that our
>>>> students could install a USB memory stick, at boot time, with a
>>>> filesystem with the same UUID as the "official" root filesystem so
>>>> fooling dracut into mounting a trojan filesystem.
>>>>
>>>> Thanks, in advance, for any ideas..
>>>>
>>>> Alastair Scobie
>>>>
>>>>
>>>
>>> specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you
>>> also want to secure grub (or any other bootloader) with a password.
>>
>> Ah, sorry, only read half of it. You might want to blacklist the USB storage
>> kernel driver then.
>>
>> "rd.driver.blacklist=usb-storage"
> 
> Would that blacklist apply only during dracut - would the usb-storage
> module still be loadable if a user inserted a USB stick after login? ...

it would only be blacklisted during dracut

> 
>> or choose one of the by-path symlinks with e.g.
>> "root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1"
> 
> ... otherwise, this looks like the best approach.
> 
> Thanks
> 
> 
> 
> 
>