diff options
| author | Shulhan <ms@kilabit.info> | 2023-09-12 14:57:01 +0700 |
|---|---|---|
| committer | Shulhan <ms@kilabit.info> | 2023-09-12 14:57:01 +0700 |
| commit | f1fac86edd64455562f2d1744b6f3d670e8ef09d (patch) | |
| tree | 18e40b17b0cc119c434e61af0df4d6f2bfd2b2bb /build-arch-gce | |
| parent | bb47b014ccaa0fa31487ee014d7ce2c565c867da (diff) | |
| download | compute-archlinux-image-builder-f1fac86edd64455562f2d1744b6f3d670e8ef09d.tar.xz | |
all: fix permission warnings during installing boot loader
The following warnings are logged when running bootctl,
! Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! !
! Random seed file '/boot/loader/.#bootctlrandom-seedd8660b2d2ae5697a' is world accessible, which is a security hole! !
The fix is by mounting the /boot with options
"uid=0,gid=0,fmask=0077,dmask=0077".
Diffstat (limited to 'build-arch-gce')
| -rwxr-xr-x | build-arch-gce | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/build-arch-gce b/build-arch-gce index b10f16d..cd40436 100755 --- a/build-arch-gce +++ b/build-arch-gce @@ -62,7 +62,8 @@ mount -- "$root_dev" "$mount_dir" echo '- Mounting the boot partition.' mkdir -p -- "$mount_dir/boot" -mount -- "$boot_dev" "$mount_dir/boot" +chmod 0700 "$mount_dir/boot" +mount -o uid=0,gid=0,fmask=0077,dmask=0077 -- "$boot_dev" "$mount_dir/boot" echo '- Copy the host pacman database caches' mkdir -p $mount_dir/var/lib/pacman/sync @@ -87,7 +88,7 @@ print_fstab() { } >> "$mount_dir/etc/fstab" { print_fstab root "$root_uuid" / ext4 rw,discard,errors=remount-ro,x-systemd.growfs 0 1 - print_fstab boot "$boot_uuid" /boot vfat uid=root,gid=root,umask=022,showexec 0 0 + print_fstab boot "$boot_uuid" /boot vfat uid=0,gid=0,fmask=0077,dmask=0077,showexec 0 0 } echo '- Running additional setup in chroot.' |