* Dracut and root filesystem UUIDs
@ 2012-01-13 11:55 Alastair Scobie
[not found] ` <4F101BA1.5000903-5WhEfG1TI8k@public.gmane.org>
0 siblings, 1 reply; 5+ messages in thread
From: Alastair Scobie @ 2012-01-13 11:55 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Alastair Scobie
Apologies if this is the incorrect mailing list to discuss this issue..
Does anyone know if there is a way to configure dracut such that
it will not attempt to mount USB mass-storage devices at boot time,
but will still allow mounting of such devices once a system (in our
case ScientifcLinux6) is fully booted?
Why do we want to do this? We run several large teaching labs running
SL6 desktops. We mount filesystems by UUID. We are concerned that our
students could install a USB memory stick, at boot time, with a
filesystem with the same UUID as the "official" root filesystem so
fooling dracut into mounting a trojan filesystem.
Thanks, in advance, for any ideas..
Alastair Scobie
--
Alastair Scobie
Head of Computing, School of Informatics, University of Edinburgh
10 Crichton Street, Edinburgh, Scotland, EH8 9AB
Mail: ascobie-5WhEfG1TI8k@public.gmane.org Voice: 0131 650 5178
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
^ permalink raw reply [flat|nested] 5+ messages in thread[parent not found: <4F101BA1.5000903-5WhEfG1TI8k@public.gmane.org>]
* Re: Dracut and root filesystem UUIDs [not found] ` <4F101BA1.5000903-5WhEfG1TI8k@public.gmane.org> @ 2012-01-13 14:06 ` Harald Hoyer [not found] ` <4F103A61.1070907-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 5+ messages in thread From: Harald Hoyer @ 2012-01-13 14:06 UTC (permalink / raw) To: Alastair Scobie; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org On 13.01.2012 12:55, Alastair Scobie wrote: > Apologies if this is the incorrect mailing list to discuss this issue.. > > Does anyone know if there is a way to configure dracut such that > it will not attempt to mount USB mass-storage devices at boot time, > but will still allow mounting of such devices once a system (in our > case ScientifcLinux6) is fully booted? > > Why do we want to do this? We run several large teaching labs running > SL6 desktops. We mount filesystems by UUID. We are concerned that our > students could install a USB memory stick, at boot time, with a > filesystem with the same UUID as the "official" root filesystem so > fooling dracut into mounting a trojan filesystem. > > Thanks, in advance, for any ideas.. > > Alastair Scobie > > specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you also want to secure grub (or any other bootloader) with a password. ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <4F103A61.1070907-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: Dracut and root filesystem UUIDs [not found] ` <4F103A61.1070907-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2012-01-13 14:09 ` Harald Hoyer [not found] ` <4F103B21.80206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 5+ messages in thread From: Harald Hoyer @ 2012-01-13 14:09 UTC (permalink / raw) To: Alastair Scobie; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org On 13.01.2012 15:06, Harald Hoyer wrote: > On 13.01.2012 12:55, Alastair Scobie wrote: >> Apologies if this is the incorrect mailing list to discuss this issue.. >> >> Does anyone know if there is a way to configure dracut such that >> it will not attempt to mount USB mass-storage devices at boot time, >> but will still allow mounting of such devices once a system (in our >> case ScientifcLinux6) is fully booted? >> >> Why do we want to do this? We run several large teaching labs running >> SL6 desktops. We mount filesystems by UUID. We are concerned that our >> students could install a USB memory stick, at boot time, with a >> filesystem with the same UUID as the "official" root filesystem so >> fooling dracut into mounting a trojan filesystem. >> >> Thanks, in advance, for any ideas.. >> >> Alastair Scobie >> >> > > specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you > also want to secure grub (or any other bootloader) with a password. Ah, sorry, only read half of it. You might want to blacklist the USB storage kernel driver then. "rd.driver.blacklist=usb-storage" or choose one of the by-path symlinks with e.g. "root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1" ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <4F103B21.80206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: Dracut and root filesystem UUIDs [not found] ` <4F103B21.80206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2012-01-13 14:24 ` Alastair Scobie [not found] ` <4F103EB1.9000209-5WhEfG1TI8k@public.gmane.org> 0 siblings, 1 reply; 5+ messages in thread From: Alastair Scobie @ 2012-01-13 14:24 UTC (permalink / raw) To: Harald Hoyer Cc: initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Alastair Scobie On 13/01/2012 14:09, Harald Hoyer wrote: > On 13.01.2012 15:06, Harald Hoyer wrote: >> On 13.01.2012 12:55, Alastair Scobie wrote: >>> Apologies if this is the incorrect mailing list to discuss this issue.. >>> >>> Does anyone know if there is a way to configure dracut such that >>> it will not attempt to mount USB mass-storage devices at boot time, >>> but will still allow mounting of such devices once a system (in our >>> case ScientifcLinux6) is fully booted? >>> >>> Why do we want to do this? We run several large teaching labs running >>> SL6 desktops. We mount filesystems by UUID. We are concerned that our >>> students could install a USB memory stick, at boot time, with a >>> filesystem with the same UUID as the "official" root filesystem so >>> fooling dracut into mounting a trojan filesystem. >>> >>> Thanks, in advance, for any ideas.. >>> >>> Alastair Scobie >>> >>> >> >> specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you >> also want to secure grub (or any other bootloader) with a password. > > Ah, sorry, only read half of it. You might want to blacklist the USB storage > kernel driver then. > > "rd.driver.blacklist=usb-storage" Would that blacklist apply only during dracut - would the usb-storage module still be loadable if a user inserted a USB stick after login? ... > or choose one of the by-path symlinks with e.g. > "root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1" ... otherwise, this looks like the best approach. Thanks -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <4F103EB1.9000209-5WhEfG1TI8k@public.gmane.org>]
* Re: Dracut and root filesystem UUIDs [not found] ` <4F103EB1.9000209-5WhEfG1TI8k@public.gmane.org> @ 2012-01-13 15:08 ` Harald Hoyer 0 siblings, 0 replies; 5+ messages in thread From: Harald Hoyer @ 2012-01-13 15:08 UTC (permalink / raw) To: Alastair Scobie; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org On 13.01.2012 15:24, Alastair Scobie wrote: > On 13/01/2012 14:09, Harald Hoyer wrote: >> On 13.01.2012 15:06, Harald Hoyer wrote: >>> On 13.01.2012 12:55, Alastair Scobie wrote: >>>> Apologies if this is the incorrect mailing list to discuss this issue.. >>>> >>>> Does anyone know if there is a way to configure dracut such that >>>> it will not attempt to mount USB mass-storage devices at boot time, >>>> but will still allow mounting of such devices once a system (in our >>>> case ScientifcLinux6) is fully booted? >>>> >>>> Why do we want to do this? We run several large teaching labs running >>>> SL6 desktops. We mount filesystems by UUID. We are concerned that our >>>> students could install a USB memory stick, at boot time, with a >>>> filesystem with the same UUID as the "official" root filesystem so >>>> fooling dracut into mounting a trojan filesystem. >>>> >>>> Thanks, in advance, for any ideas.. >>>> >>>> Alastair Scobie >>>> >>>> >>> >>> specifying "root=UUID=<uuid> rd.shell=0" will do exactly what you want. Then you >>> also want to secure grub (or any other bootloader) with a password. >> >> Ah, sorry, only read half of it. You might want to blacklist the USB storage >> kernel driver then. >> >> "rd.driver.blacklist=usb-storage" > > Would that blacklist apply only during dracut - would the usb-storage > module still be loadable if a user inserted a USB stick after login? ... it would only be blacklisted during dracut > >> or choose one of the by-path symlinks with e.g. >> "root=/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1" > > ... otherwise, this looks like the best approach. > > Thanks > > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-01-13 15:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-13 11:55 Dracut and root filesystem UUIDs Alastair Scobie
[not found] ` <4F101BA1.5000903-5WhEfG1TI8k@public.gmane.org>
2012-01-13 14:06 ` Harald Hoyer
[not found] ` <4F103A61.1070907-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-01-13 14:09 ` Harald Hoyer
[not found] ` <4F103B21.80206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-01-13 14:24 ` Alastair Scobie
[not found] ` <4F103EB1.9000209-5WhEfG1TI8k@public.gmane.org>
2012-01-13 15:08 ` Harald Hoyer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox