diff options
| -rwxr-xr-x | archsetup | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -2045,6 +2045,17 @@ supplemental_software() { boot_ux() { action="Boot UX" && display "title" "$action" + # Tighten /efi mount permissions so kernel images, initramfs, and + # bootloader config aren't world-readable. archinstall's defaults leave + # them at 0755; fmask/dmask below makes files 0600 and dirs 0700. + # Idempotent: skipped if fmask= is already present on the /efi line. + if grep -qE "^[^#].*[[:space:]]/efi[[:space:]]+vfat[[:space:]]" /etc/fstab \ + && ! grep -E "^[^#].*[[:space:]]/efi[[:space:]]+vfat[[:space:]]" /etc/fstab | grep -q "fmask="; then + action="tightening /efi mount permissions in fstab" && display "task" "$action" + sed -i -E '/^[^#].*[[:space:]]\/efi[[:space:]]+vfat[[:space:]]/ s/([[:space:]]+vfat[[:space:]]+)([^[:space:]]+)/\1\2,fmask=0177,dmask=0077/' /etc/fstab \ + || error_warn "$action" "$?" + fi + # Add nvme module for early loading on NVMe systems # Ensures NVMe devices are available when ZFS/other hooks try to access them if has_nvme_drives; then |