1 |
On Thu, Jul 13, 2017 at 12:45 PM, Mike Gilbert <floppym@g.o> wrote: |
2 |
> On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@g.o> wrote: |
3 |
>> On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote: |
4 |
>>> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@×××.org> wrote: |
5 |
>>> > On 13/07/17 12:09, Rich Freeman wrote: |
6 |
>>> >> Presumably you'd only want to remount it if it was mounted ro to |
7 |
>>> >> start, since it sounds like openrc will be diverging from systemd |
8 |
>>> >> behavior here. |
9 |
>>> >> |
10 |
>>> >> While it seems like a good idea I'm not sure how big an improvement it |
11 |
>>> >> is in the larger scheme. We're worried about root accidentially |
12 |
>>> >> modifying efivars, but we have no safeguards against root writing to |
13 |
>>> >> /dev/sda, and the latter seems much more likely to cause harm, and is |
14 |
>>> >> harder to fix. |
15 |
>>> >> |
16 |
>>> > In case you weren't aware, Rich, rewriting the efivars actually writes |
17 |
>>> > to the system BIOS, which renders the computer completely unbootable .. |
18 |
>>> > not quite the same as erasing the boot sector of your hard disk, where |
19 |
>>> > you simply plug in another device, and Off you go ... |
20 |
>>> > |
21 |
>>> |
22 |
>>> We are actually talking about protecting people who run something like |
23 |
>>> rm -rf /sys/firmware/efi/efivars/ as root. |
24 |
>>> |
25 |
>>> If you are dumb enough to do something like that, you almost deserve |
26 |
>>> to spend a couple hundred on a new motherboard. |
27 |
>> |
28 |
>> Or just rm -rf / |
29 |
>> [pedantic] |
30 |
>> of course with newer rm versions one needs to run: |
31 |
>> rm -rf --no-preserve-root / |
32 |
>> or |
33 |
>> rm -rf /* /.* |
34 |
>> [/pedantic] |
35 |
>> |
36 |
>> But in some scenarios this command is normal. E.g. user installs |
37 |
>> Gentoo from some live dvd/flash, makes some mistakes, understands |
38 |
>> that system is broken beyond repair and decides to start over again. |
39 |
>> If there is no need to recreate filesystem itself or partition |
40 |
>> layout, running rm -rf / as above is quite reasonable. |
41 |
>> |
42 |
>> When running this command user expects to kill the data, but not |
43 |
>> the hardware. That is my point. I can't call such action dumb. |
44 |
>> |
45 |
>> Best regards, |
46 |
>> Andrew Savchenko |
47 |
> |
48 |
> Point taken. |
49 |
> |
50 |
> Although, if the user is in the process of installing Gentoo, efivarfs |
51 |
> is likely to be mounted rw anyway so that the user can install a boot |
52 |
> loader. Having grub-install perform the remount would minimize this |
53 |
> small risk I suppose. |
54 |
|
55 |
s/grub-install/efibootmgr/; grub-install does not update efivarfs |
56 |
directly, but rather calls efibootmgr to do it. |