fix(archsetup): tighten /efi mount permissions in fstab

archinstall writes the /efi line to /etc/fstab with `defaults` (or similar) and no fmask/dmask, so files inside end up 0755. Kernel images, initramfs, and bootloader config are world-readable on a freshly installed system. On a single-user machine that's mild, but there's no good reason to leave it that way.

I added a guarded sed to boot_ux() that appends `fmask=0177,dmask=0077` to the /efi vfat line. Files end up 0600 and dirs 0700, root-only. The block is idempotent. Both guards check that the /efi line exists and that fmask= isn't already there before touching anything. I patched this machine's fstab the same way, so the new options take effect on next boot.

1 files changed, 11 insertions, 0 deletions

diff --git a/archsetup b/archsetup
index 88e69db..6decbdd 100755
--- a/archsetup
+++ b/archsetup
@@ -2045,6 +2045,17 @@ supplemental_software() {
 boot_ux() {
     action="Boot UX" && display "title" "$action"
 
+    # Tighten /efi mount permissions so kernel images, initramfs, and
+    # bootloader config aren't world-readable. archinstall's defaults leave
+    # them at 0755; fmask/dmask below makes files 0600 and dirs 0700.
+    # Idempotent: skipped if fmask= is already present on the /efi line.
+    if grep -qE "^[^#].*[[:space:]]/efi[[:space:]]+vfat[[:space:]]" /etc/fstab \
+       && ! grep -E "^[^#].*[[:space:]]/efi[[:space:]]+vfat[[:space:]]" /etc/fstab | grep -q "fmask="; then
+        action="tightening /efi mount permissions in fstab" && display "task" "$action"
+        sed -i -E '/^[^#].*[[:space:]]\/efi[[:space:]]+vfat[[:space:]]/ s/([[:space:]]+vfat[[:space:]]+)([^[:space:]]+)/\1\2,fmask=0177,dmask=0077/' /etc/fstab \
+            || error_warn "$action" "$?"
+    fi
+
     # Add nvme module for early loading on NVMe systems
     # Ensures NVMe devices are available when ZFS/other hooks try to access them
     if has_nvme_drives; then