著者: Simon Hobson 日付: To: dng@lists.dyne.org 題目: Re: [DNG] Bad UEFI: was Systemd at work: rm -rf EFI
KatolaZ <katolaz@???> wrote:
> I don't get why any of those occasional "sysadmin-wannabe" users you
> have described above would ever need to mess around with their UEFI by
> hand.
They don't. But certain tasks they run apparently can do - did someone mention Grub updating it ?
So one scenario (which I think is the most likely) goes like this :
User instructs system to install updates (whether that's via cli "apt-get ..." or by clicking in a GUI). One (or more) of those updates triggers a Grub update. Grub runs update process, and for whatever reason wants to update UEFI settings.
To cater for this, certain camps have set the default to "mount the virtual filesystem r/w all the time" - which has the dangers discussed.
Some are suggesting that the user should have to manually mount it for these occasions. My feeling is that this puts an unnecessary technical burden on the less knowledgeable, some of whom will take the attitude that "it's broken" when updates don't install properly.
My suggestion is to (re)mount r/w when this occurs - by default asking the user permission first - and either unmount or remount r/o afterwards. A config option could be provided (in a config file) so the utilities needing to do this could assume permission and do it transparently - *IF* the user/admin sets that option.
Thos that don't want the filesystem mounted, ever, without them manually doing it can easily adjust fstab and settings to allow for that.
IMO this caters for for those who want it to "just happen", for those that want to have to give permission each time, and those who want full manual control.
Of course, unless you physically remove support for the virtual filesystem, then there's nothing to stop any program with enough privileges to mount the filesystem when it wants.