nixos/doc: suggest mounting the ESP on /boot with umask=077

This prevents world-readable access to /boot, which is a security issue that systemd-boot warns about. Fixes https://github.com/NixOS/nixpkgs/issues/279362.
author: Bjørn Forsman <bjorn.forsman@gmail.com> 2024-04-01 14:19:41 +0200
committer: Bjørn Forsman <bjorn.forsman@gmail.com> 2024-04-10 19:34:07 +0200
commit: 74c1547424498edd75cbe3092a624960a2456695 (patch)
tree: adfdaa4f2ad8db540d6ec3595f1d33d95617e4f0
parent: e17e60b2738bcddf4e0661da3d63872ceec2a9cb (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md
index c7deb07352f1..b6db40878ba7 100644
--- a/nixos/doc/manual/installation/installing.chapter.md
+++ b/nixos/doc/manual/installation/installing.chapter.md
@@ -376,7 +376,7 @@ Use the following commands:
 
     ```ShellSession
     # mkdir -p /mnt/boot
-    # mount /dev/disk/by-label/boot /mnt/boot
+    # mount -o umask=077 /dev/disk/by-label/boot /mnt/boot
     ```
 
 3.  If your machine has a limited amount of memory, you may want to
@@ -572,7 +572,7 @@ With a partitioned disk.
 # mkfs.fat -F 32 -n boot /dev/sda3        # (for UEFI systems only)
 # mount /dev/disk/by-label/nixos /mnt
 # mkdir -p /mnt/boot                      # (for UEFI systems only)
-# mount /dev/disk/by-label/boot /mnt/boot # (for UEFI systems only)
+# mount -o umask=077 /dev/disk/by-label/boot /mnt/boot # (for UEFI systems only)
 # nixos-generate-config --root /mnt
 # nano /mnt/etc/nixos/configuration.nix
 # nixos-install
author	Bjørn Forsman <bjorn.forsman@gmail.com>	2024-04-01 14:19:41 +0200
committer	Bjørn Forsman <bjorn.forsman@gmail.com>	2024-04-10 19:34:07 +0200
commit	74c1547424498edd75cbe3092a624960a2456695 (patch)
tree	adfdaa4f2ad8db540d6ec3595f1d33d95617e4f0
parent	e17e60b2738bcddf4e0661da3d63872ceec2a9cb (diff)