[Tails-dev] Please review'n'merge bugfix/safer-persistence (…

このメッセージを削除

このメッセージに返信
著者: intrigeri
日付:  
To: tails-dev
題目: [Tails-dev] Please review'n'merge bugfix/safer-persistence (0.22 iteration)
Hi,

Tails 0.21 was the first step to make the persistence feature more
secure. Tails 0.22 is planned to clean things up and complete the
design:

   - Stop setting ownership and permission of TailsData,
     persistence.conf and live-additional-software.conf in
     live-persist.
   - In live-persist, stop importing known-safe presets from
     live-persistence.conf.
   - Have live-persist refuse to set up persistence unless TailsData
     has the correct permissions already. In this case, disable
     persistence.conf + live-additional-software.conf and warn
     the user.
   - Have live-persist refuse to set up persistence unless
     persistence.conf has the correct permissions already. In this
     case, disable persistence.conf and warn the user.
   - Have live-persist disable live-additional-software.conf if it has
     wrong permissions. In this case, the user is warned.


This is implemented in bugfix/safer-persistence (end-user and design
doc update included).

I have tried the following usecases:

  * set up persistence 0.20.1, upgrade to 0.21, enjoy the automatic
    upgrade, upgrade to bugfix/safer-persistence
  * set up persistence on 0.20.1, skip 0.21, upgrade to
    bugfix/safer-persistence
  * set up persistence on bugfix/safer-persistence, manually create
    permission issues, reboot


Please review'n'merge in time for 0.22. Any taker?

sajolida: I have done the minimal amount of documentation work to make
things look good enough to me. This implied touching
persistence/upgrade a bit. Please have a look (and improve) if you
feel like it.

Note that the original plan also had the following, that was
superseded IMHO as this is now guaranteed by live-persist already:
have tails-additional-software refuse to read
live-additional-software.conf if it is owned or writable by someone
else than tails-persistence-setup; check parent permissions too.
The code was written already, though. It is sad not to include it, and
Alan would like to see it live for some reason he was not able to
explain to me, but it seems useless to me, so better not carry it IMO.
If someone comes up with a reason to duplicate these checks in
live-additional-software, despite the access rights having been
checked just before by live-persist, please raise it now.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc