Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security hole /boot and /boot/loader/random-seed #527

Closed
i-am-logger opened this issue Feb 2, 2024 · 4 comments · Fixed by #808
Closed

security hole /boot and /boot/loader/random-seed #527

i-am-logger opened this issue Feb 2, 2024 · 4 comments · Fixed by #808
Labels
documentation Issue that would be fixed by proper documentation

Comments

@i-am-logger
Copy link

I'm using disko to setup the partitions of my system via flake.

started to get these warnings recently:

image

the proposed solution without disko is

  fileSystems."/boot" = {
    options = [ "umask=0077" ];
  };

though not sure how to set it with disko
@phaer
Copy link
Member

phaer commented Feb 2, 2024

though not sure how to set it with disko

Exactly the same (if your disko config contains a /boot). Disko does configure the filesystems attribute, but those settings get merged with your own ones via the nixos module system

@Lassulus
Copy link
Collaborator

Lassulus commented Feb 2, 2024
edited
Loading 

...
partitions = {
  boot = {
    type = "EF00";
    size = "500M";
	content = {
      type = "filesystem";
      format = "vfat";
      mountOptions = [ "umask=0077" ];
      mountpoint = "/boot";
    };
  };
};

panchoh added a commit to panchoh/nixos that referenced this issue Feb 8, 2024
@panchoh
fix(traits/disko): handle systemd-boot warning
f297ae6 
See nix-community/disko#527
See https://discourse.nixos.org/t/nixos-install-with-custom-flake-results-in-boot-being-world-accessible/34555/18
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-install-with-custom-flake-results-in-boot-being-world-accessible/34555/23

panchoh added a commit to panchoh/nixos that referenced this issue Feb 11, 2024
@panchoh
fix(traits/disko): handle systemd-boot warning
288b6ea 
See nix-community/disko#527
See https://discourse.nixos.org/t/nixos-install-with-custom-flake-results-in-boot-being-world-accessible/34555/18
trueNAHO added a commit to trueNAHO/os that referenced this issue Feb 19, 2024
@trueNAHO
fix(hosts/masterplan/disko): random seed file is world readable
13603a2 
Prevent the random seed file from being world readable to avoid the
following installation warning:

> Mount point '/boot' which backs the random seed file is world
> accessible, which is a security hole!

Related:

- https://discourse.nixos.org/t/34555
- https://discourse.nixos.org/t/37636
- nix-community/disko#527
huwqchn added a commit to huwqchn/.dotfiles that referenced this issue Sep 1, 2024
@huwqchn
fix: world-accessible /boot/loader/random-seed see: nix-community/dis…
daca44a 
…ko#527 (comment)
huwqchn added a commit to huwqchn/.dotfiles that referenced this issue Sep 13, 2024
@huwqchn
fix: world-accessible /boot/loader/random-seed see: nix-community/dis…
ef2e996 
…ko#527 (comment)
iFreilicht added a commit that referenced this issue Oct 1, 2024
@iFreilicht
docs: Fix /boot security hole warning in examples
2299b43 
The alternative would be to do this automatically if format=="vfat" and
mountpoint=="/boot", but it's better to be upfront about this.

Fixes #527
@iFreilicht iFreilicht added the documentation Issue that would be fixed by proper documentation label Oct 1, 2024
@iFreilicht iFreilicht mentioned this issue Oct 1, 2024
Merged
iFreilicht added a commit that referenced this issue Oct 1, 2024
@iFreilicht
docs: Fix /boot security hole warning in examples
b901b7a 
The alternative would be to do this automatically if format=="vfat" and
mountpoint=="/boot", but it's better to be upfront about this.

Fixes #527
@mergify mergify bot closed this as completed in #808 Oct 2, 2024
mergify bot pushed a commit that referenced this issue Oct 2, 2024
@iFreilicht @mergify
docs: Fix /boot security hole warning in examples
da8f492 
The alternative would be to do this automatically if format=="vfat" and
mountpoint=="/boot", but it's better to be upfront about this.

Fixes #527
@iFreilicht
Copy link
Contributor

Thank you for pointing this out! All the examples and documentation reflect this now.

@diogotcorreia diogotcorreia mentioned this issue Dec 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Issue that would be fixed by proper documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: Fix /boot security hole warning in examples nix-community/disko
5 participants
@phaer @Lassulus @i-am-logger @iFreilicht @nixos-discourse