Created attachment 11938 [details] fstab after installation After installation, /etc/fstab shows that vfat /boot/EFI partition for ESP System Partition has a umask=000 mount option. This should totally be avoided ! Unskilled user could break his system by removing necessary efi loader like GRUB and Microsoft Windows loader. Attached /etc/fstab on my system after installation. /etc/fstab belongs to setup-2.7.25-1.mga8.noarch. But, it is written by drakX. So assigning to Mageia Tools Maintainers CC'ed Sec Team for advice. @David Walser, feel free to drop to non security bug if you don't think this is a security issue.
Component: Security => InstallerQA Contact: security => (none)
Thanks David for this. But with this umask set, malicious logged user can remove all bootloader from /boot/EFI and can modify efi-part of bootloader.
CC list accessible: 1 => 0Group: secteam => (none)Reporter accessible: 1 => 0
Fixed in drakx
Status: NEW => RESOLVEDResolution: (none) => FIXEDCC: (none) => thierry.vignaud
Thanks Thierry. This will be in DrakXtools-18.35-1.mga8 ?
It's in the actual installer (technically drakx-installer-stage2 then). We might want to put a note about this in the Errata though so admins know to fix upgraded machines.
1) How is this for live isos? (dumped to USB with or without persistent partition) 2) Should not hurt for admin to fix on mga7 either, i guess same problem here. So into mga7 errata too?
CC: (none) => fri
(In reply to David Walser from comment #4) > It's in the actual installer (technically drakx-installer-stage2 then). We > might want to put a note about this in the Errata though so admins know to > fix upgraded machines. Technically we ca add a fixup for that in drakx when upgrading… Or a trigger in grub2 so that in order to handle people performing online update with urpmi…