ubuntu-translations-coordinators team mailing list archive

Thread
Date
[Bug 1881006] [NEW] Incorrect ESP mount options

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1881006@xxxxxxxxxxxxxxxxxx>
Date: Sun, 23 Feb 2025 04:19:58 -0000
Reply-to: Bug 1881006 <1881006@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

[Impact]

 * For the affected images, the ESP is currently mounted with default
(0755) permissions. This means anyone can read the ESP partition. This
can cause security issues as sensitive data might be put in this
partition[0]

[Test Plan]

 * Build an uefi image from the ubuntu-cpc project in livecd-rootfs

 * Launch in KVM

 * Check `/etc/fstab` content

 * Check that mount options are reflected in 'mount' command output

 * Ensure a non-root user can not access /boot/efi

[Where problems could occur]

 * Some users can have automation in place change the mount options.
This change might break their automation. However, because this change
is only related to the ESP partition, I don't think a lot of users would
want to change the default settings.

 * All use cases requiring non-root user to read from this file system
will be broken. However, given the content of this filesystem, this
scenario is unlikely and the security benefits should justify this risk.

[original description]

Previously we decided that ESP should be mounted with umask=0077

See

https://git.launchpad.net/ubuntu/+source/partman-
efi/commit/fstab.d/efi?id=b141ba7648e66ae80eb58d26d40dd717cfee1904

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033

https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183

This is also documented in https://wiki.ubuntu.com/FSTAB

However, in GCE instance /boot/efi is not mounted with umask=0077
fstab is:

LABEL=cloudimg-rootfs   /        ext4   defaults        0 0
LABEL=UEFI      /boot/efi       vfat    defaults        0 0

And in mount options are:
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

fstab should be fixed to specify "umask=0077" instead of "defaults" for
the ESP partition

also zsys setup in ubiquity does weird explicit
umask=0022,fmask=0022,dmask=0022 which are the defaults anyway, not sure
where that got those options from.

systemd, gpt-auto-generator correctly defaults to umask=0077 for ESP
mount

I think subiquity is affected, as it does not set "options:
'umask=0077'" on the /boot/efi mount in the storage specification.

[0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11

** Affects: cloud-images
     Importance: Undecided
         Status: New

** Affects: ubuntu-translations
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: livecd-rootfs (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: ubiquity (Ubuntu)
     Importance: Undecided
         Status: Won't Fix

** Affects: livecd-rootfs (Ubuntu Xenial)
     Importance: Undecided
         Status: Fix Released

** Affects: livecd-rootfs (Ubuntu Bionic)
     Importance: Undecided
         Status: Fix Released

** Affects: livecd-rootfs (Ubuntu Focal)
     Importance: Undecided
         Status: Fix Released

** Affects: livecd-rootfs (Ubuntu Groovy)
     Importance: Undecided
         Status: Fix Released


** Tags: easy verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial
-- 
Incorrect ESP mount options
https://bugs.launchpad.net/bugs/1881006
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.