You are not logged in.

Pages: 1

#1 2025-11-04 07:31:13

othersamo_
Member
From: Braislava
Registered: 2020-10-26
Posts: 146

Mount point /boot world accessible

Hello,
I have booted my system and saw 2 errors happening:

Nov 04 08:16:26 Samo-PCFW bootctl[770]:  Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! 
Nov 04 08:16:26 Samo-PCFW bootctl[770]: Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole!

I tried running the commands stated in this thread but it did not help: https://bbs.archlinux.org/viewtopic.php?id=287790

sudo umount /boot  -- works fine but
sudo mount -o uid=0,gid=0,fmask=0077,dmask=0077 /dev/nvme0n1p1/boot
-- returns error: mount: /dev/nvme0n1p1/boot: can't find in /etc/fstab.

Thank you

"Why join the navy if you can be a pirate?"
- Steve Jobs

Offline

#2 2025-11-04 07:34:56

othersamo_
Member
From: Braislava
Registered: 2020-10-26
Posts: 146

Re: Mount point /boot world accessible

Here are the debug messages:

mount
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=16047812k,nr_inodes=4011953,mode=755,inode64)
run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755,inode64)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
/dev/nvme0n1p2 on / type ext4 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64,usrquota)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=42,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,size=16071920k,nr_inodes=1048576,inode64,usrquota)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=3214380k,nr_inodes=803595,mode=700,uid=1000,gid=1000,inode64)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
stat /boot/loader/random-seed
  File: /boot/loader/random-seed
  Size: 32              Blocks: 8          IO Block: 4096   regular file
Device: 259,1   Inode: 21          Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-11-04 01:00:00.000000000 +0100
Modify: 2025-11-04 08:16:26.000000000 +0100
Change: 2025-11-04 08:16:26.000000000 +0100
 Birth: 2025-11-04 08:16:26.560000000 +0100
stat /boot/loader/                                                                                                                                                                                     
  File: /boot/loader/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 259,1   Inode: 20          Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-11-04 01:00:00.000000000 +0100
Modify: 2025-11-04 08:16:26.000000000 +0100
Change: 2025-11-04 08:16:26.000000000 +0100
 Birth: 2024-06-10 16:07:42.280000000 +0200
stat /boot                                                                                                                                                                                             
  File: /boot
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 259,1   Inode: 1           Links: 4
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 1970-01-01 01:00:00.000000000 +0100
Modify: 1970-01-01 01:00:00.000000000 +0100
Change: 1970-01-01 01:00:00.000000000 +0100
 Birth: 1970-01-01 01:00:00.000000000 +0100
stat /boot -- after umounting                                                                                                                                                                                             
  File: /boot
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 259,2   Inode: 48496641    Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-11-03 14:01:25.273823910 +0100
Modify: 2024-06-10 15:59:27.890098054 +0200
Change: 2024-06-10 15:59:27.890098054 +0200
 Birth: 2024-06-10 15:59:27.890098054 +0200

"Why join the navy if you can be a pirate?"
- Steve Jobs

Offline

#3 2025-11-04 07:56:12

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 70,964

Re: Mount point /boot world accessible

sudo mount -o uid=0,gid=0,fmask=0077,dmask=0077 /dev/nvme0n1p1/boot

You my younger self… lost a blank but you want to edit the fstab entry anyway.

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

Pages: 1

Board footer

Powered by FluxBB