Commit 4a555542 authored by Craig Andrews's avatar Craig Andrews

Improve security by restricting the EFS mount

noexec: Do not permit direct execution of any binaries on the mounted filesystem.
nodev: Do not interpret character or block special devices on the file system.
nosuid: Do not honor set-user-ID and set-group-ID bits or file capabilities when executing programs from this filesystem.
parent 55b94b0f
Pipeline #86167780 passed with stages
in 3 minutes and 30 seconds
......@@ -36,7 +36,8 @@ files:
$(/opt/elasticbeanstalk/bin/get-config environment -k EFS_FILE_SYSTEM_ID)
[ ! -d /efs ] && mkdir /efs && chown versionpress:versionpress /efs
mountpoint -q /efs || mount -t efs "${EFS_FILE_SYSTEM_ID}":/ /efs -o fsc
mountpoint -q /efs || \
mount -t efs "${EFS_FILE_SYSTEM_ID}":/ /efs -o fsc,noexec,nodev,nosuid
chown versionpress:versionpress /efs
chmod 777 /efs
......
......@@ -1714,7 +1714,7 @@
{
"Ref": "FileSystem"
},
":/ /efs efs _netdev,fsc\" >> /etc/fstab"
":/ /efs efs _netdev,fsc,noexec,nodev,nosuid\" >> /etc/fstab"
]
]
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment