GUF-Yocto-jethro-9.0-r7707-0
i.MX6
User Manual
10.3
autostart
Garz & Fricke devices are equipped with an
[
I
and
[
I
service. As this service
executes anything with root privileges without further checking, this is a possible vulnerability.
Restricting the physical access to the interfaces by the mechanical construction is one way to reduce the risk of
attacks. To disable this feature completely, execute:
mv /etc/udev/rules.d/automount.rules /etc/udev/rules.d/automount.rules.disabled
Note:
Updating the device with
Flash-N-Go Update
or any other automatic update tool is not possible
without the autostart feature.
It should be possible to add special security checks to the mount script to allow only an automatic update but
suppressing all other executables.
10.4
Flash-N-Go System
Newer Garz & Fricke devices are equipped with an
Flash-N-Go System
as backup OS. Within Flash-N-Go the
user has full control of the device’s configuration and the partitions on the flash disk respectively eMMC without
a password or further authentication.
As described in
[
I
9 Deploying the Linux system to the target]
booting into
Flash-N-Go System
can be triggered
by pressing the
bootmode switch
or with the bootselect tool from the yocto OS.
The bootselect tool can only change the bootmode when called with root privileges, so following password and
user suggestions from
[
I
10.2 User permissions concept]
should solve this issue.
The bootmode switch should be secured with restricing physical access by the mechanical construction.
If this is impossible, it is possible to disable the Backup OS with the following command sequence:
root@gufboardll:~# mount /dev/mmcblk0p2 /mnt/
root@gufboardll:~# mv /mnt/boot.cfg /mnt/boot-alt.cfg
root@gufboardll:~# umount /mnt/
root@gufboardll:~# mount /dev/mmcblk0p1 /mnt/
root@gufboardll:~# mv /mnt/boot-alt.cfg /mnt/boot-alt.cfg.bak
root@gufboardll:~# umount /mnt/
Note:
This change disables the access to the backup OS
Flash-N-Go System
completely. If the
normal OS becomes inaccesible for some reason, there is no way for a custumer to fix the device.
Note:
Updating the system normally without the backup OS
Flash-N-Go System
is impossible.
Though it is possble to revert the change and reenable
Flash-N-Go System
from the normal OS,
if it is functional.
10.5
Networking
10.5.1 Firewall - netfilter/iptables
By default, all network communication is allowed. Linux can be configured to block certain IP packets depending
on its header (e.g. by port or by protocol) using
iptables
, which is basically a firewall. As this mechanism is
very powerful and complex it is not documented here in detail. Please take a look at the following link for a basic
introduction:
https://help.ubuntu.com/community/IptablesHowTo
As a first start we show some basic usecases here.
Note: If you call these commands from a network login, your connection will/could break. Without
physical access to the serial or USB console, you won’t be able to access the device anymore.
Block all network traffic:
64