genfstab should use more restrictive permissions for boot or possibly just EFI partitions
Description:
genfstab uses the default options of:
rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
Which results in a world readable but not writable /boot or /boot/EFI, depending on which vfat partitions are mounted this way. Some boot managers complain that at least the random seed file is world readable, which is a security issue.
Perhaps the fmask and dmask should be 0077 so that boot partitions are only owner accessible? Then at least it will be necessary to check whether a partition is supposed to be the boot partition, as maybe some users would genfstab a vfat partition they intend to be world accessible.
Additional info:
- package version(s): 28-1
Steps to reproduce:
- Install Arch from a newly downloaded archiso, using a combination EFI system partition and boot partition
- Use mkinitcpio and systemd-boot, sometimes they complain that the random seed is world readable, if I remember correctly.