Information
ID: 522
PHID: PHID-TASK-7klcm2uwogjn2ldbtf2d
Author: Lobster
Status at Migration Time: open
Priority at Migration Time: Wishlist
Description
Change the partition scheme from a single root partition to multiple partitions to allow the use of mount options (noexec, nodev, nosuid) and to prevent attacks which involve filling up all available space
See also:
https://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.2
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10
http://web.archive.org/web/20150905090218/http://hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system
Comments
Patrick
2018-08-03 10:33:45 UTC
Not easy.
To create the base raw image during the build we are using grml-debootstrap. (Creating base raw images is not a trivial process, so a specialized tool for that is being used.)
I do not think grml-debootstrap supports such a feature. Please consider posting a feature request against upstream against grml-debootstrap and/or implement that feature upstream.
Alternatively do the same as above with image-bootstrap . The alternative project and upstream might be quicker to implement it. Although that may likely create more follow up tasks. We do not have a ticket yet for porting Whonix build process from using the old grml-debootstrap to using the more modern (but not packaged for Debian) image-bootstrap. It would have to be checked, if image-bootstrap can already do everything that we require using grml-debootstrap for at the moment.
See also:
https://forums.whonix.org/t/replacing-grml-debootstrap-debos-build-platform