Bug 27415

Summary: Umask set to 000 for EFI partition
Product: Mageia Reporter: Aurelien Oudelet <ouaurelien>
Component: InstallerAssignee: Mageia tools maintainers <mageiatools>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: High CC: fri, thierry.vignaud
Version: Cauldron   
Target Milestone: Mageia 8   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: drakxtools-18.34-1.mga8.src.rpm CVE:
Status comment:
Attachments: fstab after installation

Description Aurelien Oudelet 2020-10-14 20:15:23 CEST 
Created attachment 11938 [details]
fstab after installation

After installation,

/etc/fstab shows that vfat /boot/EFI partition for ESP System Partition has a umask=000 mount option.

This should totally be avoided ! Unskilled user could break his system by removing necessary efi loader like GRUB and Microsoft Windows loader.

Attached /etc/fstab on my system after installation.


/etc/fstab belongs to setup-2.7.25-1.mga8.noarch.
But, it is written by drakX.

So assigning to Mageia Tools Maintainers
CC'ed Sec Team for advice.

@David Walser, feel free to drop to non security bug if you don't think this is a security issue.
David Walser 2020-10-14 21:18:48 CEST

Component: Security => Installer
QA Contact: security => (none)

Comment 1 Aurelien Oudelet 2020-10-14 22:16:47 CEST 
Thanks David for this.
But with this umask set, malicious logged user can remove all bootloader from /boot/EFI and can modify efi-part of bootloader.
David Walser 2020-10-15 15:25:28 CEST

CC list accessible: 1 => 0
Group: secteam => (none)
Reporter accessible: 1 => 0

Comment 2 Thierry Vignaud 2020-10-15 16:43:04 CEST 
Fixed in drakx

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => thierry.vignaud

Comment 3 Aurelien Oudelet 2020-10-15 16:56:03 CEST 
Thanks Thierry. This will be in DrakXtools-18.35-1.mga8 ?
Comment 4 David Walser 2020-10-15 18:58:41 CEST 
It's in the actual installer (technically drakx-installer-stage2 then).  We might want to put a note about this in the Errata though so admins know to fix upgraded machines.
Comment 5 Morgan Leijström 2020-10-15 19:01:43 CEST 
1) How is this for live isos?
(dumped to USB with or without persistent partition)

2) Should not hurt for admin to fix on mga7 either, i guess same problem here.
So into mga7 errata too?

CC: (none) => fri

Comment 6 Thierry Vignaud 2020-10-15 20:03:54 CEST 
(In reply to David Walser from comment #4)
> It's in the actual installer (technically drakx-installer-stage2 then).  We
> might want to put a note about this in the Errata though so admins know to
> fix upgraded machines.

Technically we ca add a fixup for that in drakx when upgrading…
Or a trigger in grub2 so that in order to handle people performing online update with urpmi…