diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-06 22:50:37 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-06 22:50:37 -0500 |
| commit | 6bb30128d5e3ee506fd189fbc239fae13aad6a02 (patch) | |
| tree | 02556e7c8f5016a75bb5e470b46918ea2a5ee14b /scripts | |
| parent | 22e6e4ed666c9801ec6716a274a171643a5ab2a5 (diff) | |
| download | archsetup-6bb30128d5e3ee506fd189fbc239fae13aad6a02.tar.gz archsetup-6bb30128d5e3ee506fd189fbc239fae13aad6a02.zip | |
fix(archsetup): tighten /efi mount permissions in fstab
archinstall writes the /efi line to /etc/fstab with `defaults` (or similar) and no fmask/dmask, so files inside end up 0755. Kernel images, initramfs, and bootloader config are world-readable on a freshly installed system. On a single-user machine that's mild, but there's no good reason to leave it that way.
I added a guarded sed to boot_ux() that appends `fmask=0177,dmask=0077` to the /efi vfat line. Files end up 0600 and dirs 0700, root-only. The block is idempotent. Both guards check that the /efi line exists and that fmask= isn't already there before touching anything. I patched this machine's fstab the same way, so the new options take effect on next boot.
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions