Announcement

Collapse
No announcement yet.

EFI Security Improvements & More For Linux 4.6

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • EFI Security Improvements & More For Linux 4.6

    Phoronix: EFI Security Improvements & More For Linux 4.6

    EFI-enabled systems will see some nice improvements with the upcoming Linux 4.6 kernel...

    http://www.phoronix.com/scan.php?pag....6-EFI-Updates

  • #2
    Be careful to not do a rm -rf / because that would erase files from /sys/efi and /efi, and this could brick your computer.

    Comment


    • #3
      Originally posted by uid313 View Post
      Be careful to not do a rm -rf / because that would erase files from /sys/efi and /efi, and this could brick your computer.
      ...or just have enough history of risk-averseness to have a BIOS-based desktop and an ARM palmtop with unbrickable booting while you wait for people to come to their senses a bit.

      Comment


      • #4
        Originally posted by uid313 View Post
        Be careful to not do a rm -rf / because that would erase files from /sys/efi and /efi, and this could brick your computer.
        I still don't understand why someone would need to do this.

        Comment


        • #5
          Originally posted by Mystro256 View Post

          I still don't understand why someone would need to do this.
          And again, it's not about someone doing this on purpose.
          Imagine someone runs a clean up script that has something like 'rm -rf ${tmpFolder}/', only for some reason tmpFolder was not set and the script was run with superuser privileges.
          Either way, it's beyond idiotic to allow for deletion of a file (any file) to leave a whole system unable to boot. Back I was introduced to the PC, a clean OS install meant running deltree on C:\, rebooting and inserting the OS install disks.

          Comment


          • #6
            Originally posted by Mystro256 View Post

            I still don't understand why someone would need to do this.
            Some people do it just to see what happens.

            Some people have a typo in their script (as pointed out by bug77)

            Sometimes malicious people do in fact get in, and want to cause problems for you.

            Sometimes malicious people do in fact get in, want to hide their tracks, and have a typo in a cleanup script/command.
            All opinions are my own not those of my employer if you know who they are.

            Comment


            • #7
              Originally posted by uid313 View Post
              Be careful to not do a rm -rf / because that would erase files from /sys/efi and /efi, and this could brick your computer.
              Nah, it's cool. I'll just pop the live USB stick in and do a clean install.

              Seriously, why (or, more importantly, how) someone would/could do this is beyond me.

              Originally posted by bug77 View Post
              And again, it's not about someone doing this on purpose.
              Novices don't know enough to even do something like this, and power-users should know better.

              Imagine someone runs a clean up script that has something like 'rm -rf ${tmpFolder}/', only for some reason tmpFolder was not set and the script was run with superuser privileges.
              Either way, it's beyond idiotic to allow for deletion of a file (any file) to leave a whole system unable to boot. Back I was introduced to the PC, a clean OS install meant running deltree on C:\, rebooting and inserting the OS install disks.
              Well, if there's any silver lining, it's that this could be a great way to make servers abide to the UNIX philosophy more. By allowing the computer to behave in such a way that allows the deletion of critical files, an attacker that gains superuser privledges could take down the server permanently. Fail and fail loudly!

              Perhaps the more security-minded sysadmins will write-protect those system files. Man, I wish all sysadmins already did that...

              Comment


              • #8
                Originally posted by tigerroast View Post
                Nah, it's cool. I'll just pop the live USB stick in and do a clean install.

                Seriously, why (or, more importantly, how) someone would/could do this is beyond me.
                Well maybe someone want to wipe everything from their disk. Or did it by mistake.
                On a BIOS system, this would just wipe the disk.
                On a UEFI system, this would reset the EFI variables and brick the computer.

                Comment


                • #9
                  Originally posted by bug77 View Post

                  And again, it's not about someone doing this on purpose.
                  Imagine someone runs a clean up script that has something like 'rm -rf ${tmpFolder}/', only for some reason tmpFolder was not set and the script was run with superuser privileges.
                  Either way, it's beyond idiotic to allow for deletion of a file (any file) to leave a whole system unable to boot. Back I was introduced to the PC, a clean OS install meant running deltree on C:\, rebooting and inserting the OS install disks.

                  Hold on, isn't that what the no-preserve-root flag is for? I was under the impression that rm -rf / would not work without this flag.

                  Comment


                  • #10
                    Originally posted by Mystro256 View Post


                    Hold on, isn't that what the no-preserve-root flag is for? I was under the impression that rm -rf / would not work without this flag.
                    This guy managed to do it despite no-preserve-root: http://serverfault.com/questions/587...-preserve-root
                    The thing is, you can't protect against all malicious use/misuse no matter how hard you try. Therefore, the sane thing to do is minimize the number of attack vectors (i.e. files that once deleted can brick a system). After all, I can wipe the Windows partition and the computer will still work. Why should Linux be any different?

                    Comment

                    Working...
                    X