diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-04-01 14:14:34 +0200 |
|---|---|---|
| committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-04-10 19:34:07 +0200 |
| commit | e17e60b2738bcddf4e0661da3d63872ceec2a9cb (patch) | |
| tree | 0458293976b74eeec2c9d9bf9b55aa829a42039f /nixos/modules/installer/tools | |
| parent | 7a8dac5cdff43532cd094d4a22626511e0156ebe (diff) | |
nixos-generate-config: preserve vfat filesystem mount permissions
The default is to mount these world-readable, but that's a security risk
for the EFI System Partition.
Ref https://github.com/NixOS/nixpkgs/issues/279362.
Diffstat (limited to 'nixos/modules/installer/tools')
| -rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index ef25b8b296e6..cf4173638b1a 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -453,6 +453,17 @@ EOF } } + # Preserve umask (fmask, dmask) settings for vfat filesystems. + # (The default is to mount these world-readable, but that's a security risk + # for the EFI System Partition.) + if ($fsType eq "vfat") { + for (@superOptions) { + if ($_ =~ /fmask|dmask/) { + push @extraOptions, $_; + } + } + } + # is this a stratis fs? my $stableDevPath = findStableDevPath $device; my $stratisPool; |