Bug 75782

Summary:	ESP is mounted with read-write access for root and no read for non-root users
Product:	systemd	Reporter:	Mateus Rodrigues Costa <mateusrodcosta>
Component:	general	Assignee:	systemd-bugs
Status:	RESOLVED NOTABUG	QA Contact:	systemd-bugs
Severity:	major
Priority:	medium
Version:	unspecified
Hardware:	x86-64 (AMD64)
OS:	Linux (All)
Whiteboard:
i915 platform:		i915 features:
Attachments:	a

Description Mateus Rodrigues Costa 2014-03-05 00:07:39 UTC

Created attachment 95125 [details]
a

Under Arch Linux with systemd 208-11 and systemd 210-2
Arch Linux is installed in UEFI-GPT mode and I'm letting systemd mount everything with only the root filesystem being on the fstab.

The permission on /boot are fine if I run ls as soon as I login to GNOME:



And around five seconds later :

[mateus@mateus-arch ~]$ ls -l /
total 24
lrwxrwxrwx   1 root root    7 Mai 31  2013 bin -> usr/bin
drwx------   4 root root 4096 Dez 31  1969 boot
drwxr-xr-x  19 root root 3320 Mar  4 20:42 dev
drwxr-xr-x   1 root root 3622 Mar  4 20:42 etc
drwxr-xr-x   4 root root 4096 Fev 23 16:41 home
lrwxrwxrwx   1 root root    7 Mai 31  2013 lib -> usr/lib
lrwxrwxrwx   1 root root    7 Mai 31  2013 lib64 -> usr/lib
drwxr-xr-x   1 root root    4 Fev 23 16:51 mnt
drwxr-xr-x   1 root root   58 Fev 28 23:12 opt
dr-xr-xr-x 215 root root    0 Mar  4 20:42 proc
drwxr-x---   1 root root   66 Mar  2 11:42 root
drwxr-xr-x  25 root root  680 Mar  4 20:43 run
lrwxrwxrwx   1 root root    7 Mai 31  2013 sbin -> usr/bin
drwxr-xr-x   1 root root   26 Fev 23 23:32 srv
dr-xr-xr-x  13 root root    0 Mar  4 20:42 sys
drwxrwxrwt  13 root root  300 Mar  4 20:43 tmp
drwxr-xr-x   1 root root   80 Mar  1 22:37 usr
drwxr-xr-x   1 root root  100 Mar  1 22:37 var

Here

Comment 1 Kay Sievers 2014-03-05 10:11:06 UTC

That is intentional. We do not grant ordinary users any access to the FAT
filesystem mounted at /boot.

They cannot even read it, because it might contain sensitive data inside the
initrd or stored somewhere else.

If ordinary users need access to /boot, a custom entry in fstab is needed.

Comment 2 Mateus Rodrigues Costa 2014-03-05 13:40:21 UTC

(In reply to comment #1)
> That is intentional. We do not grant ordinary users any access to the FAT
> filesystem mounted at /boot.
> 
> They cannot even read it, because it might contain sensitive data inside the
> initrd or stored somewhere else.
> 
> If ordinary users need access to /boot, a custom entry in fstab is needed.

If this is not a bug then the fact that the ESP was being mounted with user read access for several boots before being mounted as root-only probably is.

Also, can you tell me since when this behavior is expected?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.