From f1fac86edd64455562f2d1744b6f3d670e8ef09d Mon Sep 17 00:00:00 2001
From: Shulhan <ms@kilabit.info>
Date: Tue, 12 Sep 2023 14:57:01 +0700
Subject: all: fix permission warnings during installing boot loader

The following warnings are logged when running bootctl,

! Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! !
! Random seed file '/boot/loader/.#bootctlrandom-seedd8660b2d2ae5697a' is world accessible, which is a security hole! !

The fix is by mounting the /boot with options
"uid=0,gid=0,fmask=0077,dmask=0077".
---
 build-arch-gce | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'build-arch-gce')

diff --git a/build-arch-gce b/build-arch-gce
index b10f16d..cd40436 100755
--- a/build-arch-gce
+++ b/build-arch-gce
@@ -62,7 +62,8 @@ mount -- "$root_dev" "$mount_dir"
 
 echo '- Mounting the boot partition.'
 mkdir -p -- "$mount_dir/boot"
-mount -- "$boot_dev" "$mount_dir/boot"
+chmod 0700 "$mount_dir/boot"
+mount -o uid=0,gid=0,fmask=0077,dmask=0077 -- "$boot_dev" "$mount_dir/boot"
 
 echo '- Copy the host pacman database caches'
 mkdir -p $mount_dir/var/lib/pacman/sync
@@ -87,7 +88,7 @@ print_fstab() {
 } >> "$mount_dir/etc/fstab"
 {
 	print_fstab root "$root_uuid" / ext4 rw,discard,errors=remount-ro,x-systemd.growfs 0 1
-	print_fstab boot "$boot_uuid" /boot vfat uid=root,gid=root,umask=022,showexec 0 0
+	print_fstab boot "$boot_uuid" /boot vfat uid=0,gid=0,fmask=0077,dmask=0077,showexec 0 0
 }
 
 echo '- Running additional setup in chroot.'
-- 
cgit v1.3