You are not logged in.

Pages: 1

#1 2023-08-05 16:31:57

Drzony
Member
Registered: 2023-08-05
Posts: 9

[SOLVED] Security hole when using command "bootctl install"

So, I have this reoccuring issue, whenever I try to install systemd-boot on arch. I noticed this while trying to install this on my main system, so now I keep testing it on VM, trying to fix this.
Whenever I run "bootctl install", it shows me this warning.

! Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! !
! Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole! !

I tried to change permissions in /etc/fstab, but it doesn't work.

It doesn't affect functionality and system works just fine(i have it only on vm for now), but I don't want any holes in security.

Last edited by Drzony (2023-08-06 21:33:32)

Offline

#2 2023-08-05 17:02:10

ugjka
Member
From: Latvia
Registered: 2014-04-01
Posts: 1,863
Website

Re: [SOLVED] Security hole when using command "bootctl install"

This doesn't work? https://bbs.archlinux.org/viewtopic.php?id=287695

https://ugjka.net
paru > yay | vesktop > discord
pacman -S spotify-launcher
mount /dev/disk/by-...

Offline

#3 2023-08-05 23:05:07

Drzony
Member
Registered: 2023-08-05
Posts: 9

Re: [SOLVED] Security hole when using command "bootctl install"

ugjka wrote:

Yeah, tried this one. This one too: https://forum.endeavouros.com/t/bootctl … inal/43991

Both didn't work.

Last edited by Drzony (2023-08-05 23:05:59)

Offline

#4 2023-08-06 05:53:54

seth
Member
Registered: 2012-09-03
Posts: 59,643

Re: [SOLVED] Security hole when using command "bootctl install"

Did't work is't a error message or useful description of the status quo:

mount
stat /boot/loader/random-seed
stat /boot/loader
stat /boot
umount /boot
stat /boot

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#5 2023-08-06 18:18:57

Drzony
Member
Registered: 2023-08-05
Posts: 9

Re: [SOLVED] Security hole when using command "bootctl install"

seth wrote:

Did't work is't a error message or useful description of the status quo:

mount
stat /boot/loader/random-seed
stat /boot/loader
stat /boot
umount /boot
stat /boot

Sorry, my bad. I meant, that I tried to change the permissions as described in these threads, but I still get these warnings as above whenever I run "bootctl install" command.

Also, I ran the commands you listed and here are the outputs:

mount:

proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=1942580k,nr_inodes=485645,mode=755,inode64)
run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755,inode64)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
/dev/sda3 on / type ext4 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=11872)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
systemd-1 on /efi type autofs (rw,relatime,fd=49,pgrp=1,timeout=120,minproto=5,maxproto=5,direct,pipe_ino=13938)
/dev/sda1 on /boot type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,size=1999040k,nr_inodes=1048576,inode64)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=399804k,nr_inodes=99951,mode=700,uid=1000,gid=984,inode64)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=984)

some translations:
pliki: files
rozmiar: size
bloków/bloki: blocks
katalog: folder
urządzenie: device
dostęp: access
modyfikacja: modified
zmiana: changed
utworzenie: created
dowiązać: connect/link?

stat /boot/loader/random-seed

Plik: /boot/loader/random-seed
  rozmiar: 32           bloków: 8          bloki I/O: 4096   plik zwykły
Urządzenie: 8,1 inody: 5           dowiązań: 1
Dostęp: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Dostęp:      2023-08-06 00:00:00.000000000 +0000
Modyfikacja: 2023-08-06 19:27:32.000000000 +0000
Zmiana:      2023-08-06 19:27:32.000000000 +0000
Utworzenie:  2023-08-06 19:27:33.050000000 +0000

stat /boot/loader:

Plik: /boot/loader
  rozmiar: 4096         bloków: 8          bloki I/O: 4096   katalog
Urządzenie: 8,1 inody: 3           dowiązań: 3
Dostęp: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Dostęp:      2023-08-06 00:00:00.000000000 +0000
Modyfikacja: 2023-08-06 19:27:32.000000000 +0000
Zmiana:      2023-08-06 19:27:32.000000000 +0000
Utworzenie:  2023-08-05 13:40:30.800000000 +0000

stat /boot

Plik: /boot
  rozmiar: 4096         bloków: 8          bloki I/O: 4096   katalog
Urządzenie: 8,1 inody: 1           dowiązań: 4
Dostęp: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Dostęp:      1970-01-01 00:00:00.000000000 +0000
Modyfikacja: 1970-01-01 00:00:00.000000000 +0000
Zmiana:      1970-01-01 00:00:00.000000000 +0000
Utworzenie:  1970-01-01 00:00:00.000000000 +0000

stat /boot after unmounting:

Plik: /boot
  rozmiar: 4096         bloków: 8          bloki I/O: 4096   katalog
Urządzenie: 8,3 inody: 655361      dowiązań: 2
Dostęp: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Dostęp:      2023-08-06 17:53:02.799999757 +0000
Modyfikacja: 2023-08-05 13:21:38.444127922 +0000
Zmiana:      2023-08-05 13:21:38.444127922 +0000
Utworzenie:  2023-08-05 13:21:38.444127922 +0000

Last edited by Drzony (2023-08-06 19:56:11)

Offline

#6 2023-08-06 18:35:08

seth
Member
Registered: 2012-09-03
Posts: 59,643

Re: [SOLVED] Security hole when using command "bootctl install"

Don't embed oversized pictures, the board has a 250x250 px max rule.
Also *obviously* don't post low-res pictures of text at all - post the text
And use LC_ALL=C

Please fix your post in those regards.

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#7 2023-08-06 19:56:28

Drzony
Member
Registered: 2023-08-05
Posts: 9

Re: [SOLVED] Security hole when using command "bootctl install"

seth wrote:

Don't embed oversized pictures, the board has a 250x250 px max rule.
Also *obviously* don't post low-res pictures of text at all - post the text
And use LC_ALL=C

Please fix your post in those regards.


Okay, fixed.

Offline

#8 2023-08-06 20:07:42

seth
Member
Registered: 2012-09-03
Posts: 59,643

Re: [SOLVED] Security hole when using command "bootctl install"

stat /boot after unmounting:

Dostęp: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

Make that 0700.

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#9 2023-08-06 21:03:37

Drzony
Member
Registered: 2023-08-05
Posts: 9

Re: [SOLVED] Security hole when using command "bootctl install"

seth wrote:

stat /boot after unmounting:

Dostęp: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

Make that 0700.

So, did what you said. I changed the permission on unmounted /boot without any problem. And now here's something funny

When it's unmouunted:

Dostęp: (0700/drwx------)

And it stays that way whenever it's unmounted, but I can change it without any ptoblem. (so this one's okay)

But when I mount it back:

Dostęp: (0755/drwxr-xr-x)

And when it's mounted, I can't change this value.

Last edited by Drzony (2023-08-06 21:08:55)

Offline

#10 2023-08-06 21:19:54

seth
Member
Registered: 2012-09-03
Posts: 59,643

Re: [SOLVED] Security hole when using command "bootctl install"

But when I mount it back:

How?

sudo umount /boot
sudo mount -o uid=0,gid=0,fmask=0077,dmask=0077 /dev/sda1/boot
stat /boot

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#11 2023-08-06 21:32:26

Drzony
Member
Registered: 2023-08-05
Posts: 9

Re: [SOLVED] Security hole when using command "bootctl install"

seth wrote:

But when I mount it back:

How?

sudo umount /boot
sudo mount -o uid=0,gid=0,fmask=0077,dmask=0077 /dev/sda1/boot
stat /boot

Okay, my bad, I just used "mount /dev/sda1 /boot".

So, used command you provided and now everything's fine! Permissions are alright and I don't get warning messages while running "bootctl install".

Thanks a lot!

Offline

#12 2023-08-06 22:07:35

Huggy Fair-Oaks
Member
Registered: 2023-08-06
Posts: 1

Re: [SOLVED] Security hole when using command "bootctl install"

seth wrote:

stat /boot after unmounting:

Dostęp: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

Make that 0700.

Thanks, was having the same issue and this solved it.

Offline

Pages: 1

Board footer

Powered by FluxBB