overlayFS security concern

Sat Feb 20 12:16:08 AEDT 2021

On Sat, 20 Feb 2021, at 11:01, Kun Zhao wrote:
>  
> Hi Team,
> 
>  
> 
> Have the following case ever been discussed before?,
> 
> Anyone knows the root password will be able to let bmc run their own 
> code by scp the code into bmc with the same file path as any services 
> in rootfs. It will make the secure boot totally useless.
> 
>  
> 
> So besides,
> 
> 1. disable scp (but scp is one of the firmware upload way)

This isn't really a solution as there are other ways to upload files.

> 
> 2. don’t use overlayFS (but it’s really useful for debugging during 
> develop, and configuration management)

Possibly, but it's probably worth looking at IMA instead:

https://sourceforge.net/p/linux-ima/wiki/Home/

Andrew