diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-04-01 14:14:34 +0200 |
|---|---|---|
| committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-04-11 21:56:48 +0200 |
| commit | 437c36c511e3b43cf1ee4bce4001b50b53384b22 (patch) | |
| tree | cff0167aa7b95e4e9b5393aa81aca21262d90c05 /nixos/modules | |
| parent | 1d6a23f11e44d0fb64b3237569b87658a9eb5643 (diff) | |
nixos-generate-config: preserve vfat filesystem mount permissions
The default is to mount these world-readable, but that's a security risk for the EFI System Partition. Ref https://github.com/NixOS/nixpkgs/issues/279362. (cherry picked from commit 8ee9b79cc41e9013f5bb58081eccdec236530611)
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 2f9edba4f0c9c..317b5e677d17e 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -453,6 +453,17 @@ EOF } } + # Preserve umask (fmask, dmask) settings for vfat filesystems. + # (The default is to mount these world-readable, but that's a security risk + # for the EFI System Partition.) + if ($fsType eq "vfat") { + for (@superOptions) { + if ($_ =~ /fmask|dmask/) { + push @extraOptions, $_; + } + } + } + # is this a stratis fs? my $stableDevPath = findStableDevPath $device; my $stratisPool; |