1219788 – The live systems should never be writable without an opt-in prompt

Bug 1219788 - The live systems should never be writable without an opt-in prompt

Summary: The live systems should never be writable without an opt-in prompt

Status:	NEW

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P5 - None Severity: Major (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-09 21:38 UTC by ell1e
Modified:	2024-02-12 10:46 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ell1e 2024-02-09 21:38:38 UTC

The live systems should in my opinion never be writable without an opt-in prompt. I was frankly shocked to realize the openSUSE ones are without any prompt on launch whatsoever.

Here are the are the reasons why, to the best of my knowledge:

1. It's insecure. USB sticks are some of the most easily stolen, most portable, most reused and borrowed, and also not reliably irrevocably nullable storages out there. Even if the user is "just" logging into an e-mail account, even just an auto-complete save could leak the password permanently.

2. It can probably cause significant damage. Feel free to prove me wrong on this one, I'm not an expert, but the last time I consciously used a usb stick as writable system root it was dead in a day.

3. It's completely unexpected as a default. You advertise this as a live testing system, not portable permanent system for longer use. You could still offer this as opt-in prompt but this seems to make it a bad idea as a default.

4. It seems bound to break the offline install capability. I installed gparted thinking this was temporary anyway, but this seems to have changed the repo URLs permanently to the remote ones. And when I said "no" to network sources due to my slow connection, yast installer broke on itself with internal errors and I couldn't install.

5. In my opinion, it is bound to get the intended type of user, a newbie experimenting, into unsolvable breakages. This is since it makes issues like 4 a nightmare especially(!) for your main target audience because reboot won't just reverse it.

Comment 1 Matthias Gerstner 2024-02-12 10:45:58 UTC

Hi,

(In reply to el@horse64.org from comment #0)
> The live systems should in my opinion never be writable without an opt-in prompt. I was frankly shocked to realize the openSUSE ones are without any prompt on launch whatsoever.

just so that I properly understand the context of your request. This is about
openSUSE Leap 15.4, correct? Which live image did you use? An ISO image
written to a USB thumb drive or a different image or method?

> Here are the are the reasons why, to the best of my knowledge:
> 
> 1. It's insecure. USB sticks are some of the most easily stolen, most portable, most reused and borrowed, and also not reliably irrevocably nullable storages out there. Even if the user is "just" logging into an e-mail account, even just an auto-complete save could leak the password permanently.

Leaking data this way is a valid concern. I personally would never do
production tasks in a live system but an average user might. There is sadly
also (or at least has been) a tendency of live systems to be configured
insecurely on the network level by using e.g. default passwords for SSH and
things like this.

> 2. It can probably cause significant damage. Feel free to prove me wrong on this one, I'm not an expert, but the last time I consciously used a usb stick as writable system root it was dead in a day.

There might be cases of very badly designed hardware where this breaks stuff.
Since live systems usually won't be used intensively I see this as less of a
risk though.

> 3. It's completely unexpected as a default. You advertise this as a live testing system, not portable permanent system for longer use. You could still offer this as opt-in prompt but this seems to make it a bad idea as a default.

That is true I would also be surprised by this. I will try to involve the
proper people to discuss this. But first I want to reproduce it on my own once
you answered my question above about which image and method you used.

> 4. It seems bound to break the offline install capability. I installed gparted thinking this was temporary anyway, but this seems to have changed the repo URLs permanently to the remote ones. And when I said "no" to network sources due to my slow connection, yast installer broke on itself with internal errors and I couldn't install.

This also sounds bad.

> 5. In my opinion, it is bound to get the intended type of user, a newbie experimenting, into unsolvable breakages. This is since it makes issues like 4  a nightmare especially(!) for your main target audience because reboot won't just reverse it.

I tend to agree. Let's see if we can get to the bottom of this and improve it.
Thanks for reporting this.