You are not logged in.

#1 2023-09-12 11:24:13

assur
Member
From: Lisbon
Registered: 2023-09-12
Posts: 5

[SOLVED] bootctl install: warning security hole

Hi!

I'm following the Wiki Installation guide currently on step 3.8, Boot loader.
I've chosen to use systemd-boot and on the wiki page the first step is to run

bootctl install

And the output contains the following warnings

! Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! !
! Random seed file '/boot/loader/.#bootctlrandom-.....' is world accessible, which is a security hole! !

I've found this post here on the forum that mentions that it might be because of the umask for the efi partition on the fstab file.

Currently my /etc/fstab file has

# /dev/nvme0n1p3
UUID=181abf2b-2dfb-427e-a2ae-d4c6acfbda4d   /   ext4    rw,relatime 0 1

# /dev/nvme0n1p4
UUID=85992858-2cca-46dd-9979-1b2f748d36cf   /home   ext4    rw,relatime 0 2

# /dev/nvme0n1p1
UUID=3818-9B55  /boot   vfat    rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

# /dev/nvme0n1p2
UUID=c58belec-a461-4cd3-be55-249765838411   none    swap    defaults    0   0 

I've tried before to change the values of fmask and dmask from 0022 to 0077 as mentioned in the post.
But running bootctl install again results in the same warnings.

I've also tried to exit from arch-chroot then unmount all partitions

umount -R /mnt
swapoff /dev/nvme0n1p2

Mount them all again and rerunning bootctl install, but same results.

Not sure what's missing here...
Thanks


EDIT:

Solution was after editing /etc/fstab with the new mask values and exiting the chroot context to do

umount -R /mnt

mount /dev/nvme0n1p3 /mnt
arch-chroot /mnt

mount -a

bootctl install

Last edited by assur (2023-09-12 14:14:20)

Offline

#2 2023-09-12 12:21:00

seth
Member
Registered: 2012-09-03
Posts: 57,089

Re: [SOLVED] bootctl install: warning security hole

muont | grep boot

before you're trying to run bootctl?

Online

#3 2023-09-12 13:05:48

assur
Member
From: Lisbon
Registered: 2023-09-12
Posts: 5

Re: [SOLVED] bootctl install: warning security hole

After changing the fstab file and running umount -R /mnt and then mounting the partitions again
The output of

mount | grep boot

still shows fmask and dmask as 0022 instead of 0077

Am I not unmounting correctly?

Last edited by assur (2023-09-12 13:06:00)

Offline

#4 2023-09-12 13:19:41

seth
Member
Registered: 2012-09-03
Posts: 57,089

Re: [SOLVED] bootctl install: warning security hole

Does the fstab edit survive umount -R ?
What's the status of "mount" after the recursive umount?

Online

#5 2023-09-12 13:31:01

assur
Member
From: Lisbon
Registered: 2023-09-12
Posts: 5

Re: [SOLVED] bootctl install: warning security hole

Yes, it does. After umount -R and mounting again and then changing root to /mnt, cat /etc/fstab still shows the changes (mask as 0077).

After umount, mount | grep boot doesn't output anything. But it shouldn't right?

I'm not getting how mount can take into account what's in /etc/fstab given that the file is not available before mounting the partition...

Offline

#6 2023-09-12 13:32:47

seth
Member
Registered: 2012-09-03
Posts: 57,089

Re: [SOLVED] bootctl install: warning security hole

Elaborate on

Mount them all again

Online

#7 2023-09-12 13:44:14

assur
Member
From: Lisbon
Registered: 2023-09-12
Posts: 5

Re: [SOLVED] bootctl install: warning security hole

To recap what I did then

mount /dev/nvme0n1p3 /mnt
mount --mkdir /dev/nvme0n1p4 /mnt/home
mount --mkdir /dev/nvme0n1p1 /mnt/boot
swapon /dev/nvme0n1p2

(pacstrap...)

genfstab -U /mnt >> /mnt/etc/fstab

arch-chroot /mnt

(...)

bootctl install

And the output of the final command contains the warning messages as shown in the original post.

Afterwards I did

nvim /etc/fstab (to change masks)
exit (to leave change root)

umount -R /mnt
mount /dev/nvme0n1p3 /mnt
mount /dev/nvme0n1p4 /mnt/home
mount /dev/nvme0n1p1 /mnt/boot

arch-chroot /mnt
cat /etc/fstab (still contains the changes to fmask and dmask)

bootctl install

And the output still contains the same warnings.

If it helps, the output (simplified) of

fdisk -l

is

/dev/nvme0n1p1    EFI System
/dev/nvme0n1p2    Linux swap
/dev/nvme0n1p3    Linux root (x86-64)
/dev/nvme0n1p4    Linux root (x86-64)

Offline

#8 2023-09-12 13:49:10

seth
Member
Registered: 2012-09-03
Posts: 57,089

Re: [SOLVED] bootctl install: warning security hole

mount /dev/nvme0n1p3 /mnt
mount /dev/nvme0n1p4 /mnt/home
mount /dev/nvme0n1p1 /mnt/boot

arch-chroot /mnt
mount /dev/nvme0n1p3 /mnt
arch-chroot /mnt
mount -o remount --all

Online

#9 2023-09-12 13:53:10

LunarLambda
Member
Registered: 2021-08-02
Posts: 6

Re: [SOLVED] bootctl install: warning security hole

I just did chmod 700 on the ESP mountpoint and that got rid of the warning

Offline

#10 2023-09-12 13:58:44

seth
Member
Registered: 2012-09-03
Posts: 57,089

Re: [SOLVED] bootctl install: warning security hole

See #8
Your problem was that you were mounting the partitions explicitly out of the pre-chroot context, which oc doesn't account for your fstab changes.
You'd have to at least mount /boot using the fstab (ie. chroot first and then only pass mountpoint or device, not both)

This won't be an issue w/ the installed system as your fstab is taken into account, but may become relevant if you've to ever fix the system offline.

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Online

#11 2023-09-12 14:12:02

assur
Member
From: Lisbon
Registered: 2023-09-12
Posts: 5

Re: [SOLVED] bootctl install: warning security hole

seth wrote:
mount /dev/nvme0n1p3 /mnt
mount /dev/nvme0n1p4 /mnt/home
mount /dev/nvme0n1p1 /mnt/boot

arch-chroot /mnt
mount /dev/nvme0n1p3 /mnt
arch-chroot /mnt
mount -o remount --all

It worked, but instead of

mount -o remount --all

I did

mount -a

Thanks for help and explanation (particularly the fstab/mount logic)

Last edited by assur (2023-09-12 14:19:01)

Offline

Board footer

Powered by FluxBB