Bootctl is world accessible !?

While checking the logs via `journalctl`, I noticed these warning messages: “bootctl[1001]: The mount point ‘/boot’ that backs the random seed file is accessible to all users, which is a security hole !” and “bootctl[1001]: The random seed file ‘/boot/loader/random-seed’ is accessible to all users, which is a security hole !”

Is it, actually?

ls -lan /boot

I edited /etc/fstab and added the following options to /boot line : “nodev,nosuid,noexec,fmask=0177,dmask=0077”

as described on Archwiki.

ls -lan /boot
Permission denied: /boot - code: 13

Skipped 1 directories due to permission denied: 
  /boot

So no more warning message in journalctl.

Interesting. My fstab which the only edit I made was to remove tmp since systemd creates that so there’s no need for a duplicate. I have no warning messages such as yours in my journal. (I should mention I do use GRUB if that makes a difference?)

UUID=0000-0000                            /boot/efi      vfat    defaults,umask=0077 0 2
UUID=00000000000                          /home          ext4    defaults,noatime,commit=60 0 2
UUID=00000000000                          /              ext4    defaults,noatime,commit=60 0 1

Hm… seems like I don’t have any of these messages, for journalctl | grep "/boot" returns a bunch of

systemd[1]: Unmounted /boot.
systemd[1]: Mounting /boot...

and one

strim[1257]: /boot: 1,4 GiB (1534205952 bytes) trimmed on /dev/nvme0n1p1

My /etc/fstab contains nothing fancy for /boot:

UUID=xxxx-yyyy /boot vfat defaults 0 2

and yes, ls -lan /boot shows that everyone has execute rights on everything:

drwxr-xr-x 3 0 0      4096 Jan  1  1970 .
drwxr-xr-x 1 0 0       150 Apr 16 21:21 ..
-rwxr-xr-x 1 0 0    307200 Mar 11 18:07 amd-ucode.img
drwxr-xr-x 4 0 0      4096 Apr 29 06:38 EFI
-rwxr-xr-x 1 0 0 245945599 Apr 25 09:34 initramfs-linux-cachyos.img
-rwxr-xr-x 1 0 0 246253292 Apr 25 09:34 initramfs-linux-cachyos-lts.img
-rwxr-xr-x 1 0 0       488 Mar 23 12:17 refind_linux.conf
-rwxr-xr-x 1 0 0  17084416 Apr 25 09:33 vmlinuz-linux-cachyos
-rwxr-xr-x 1 0 0  17347072 Apr 25 09:33 vmlinuz-linux-cachyos-lts

Is that a bad thing? No warnings in journalctl, though.

Maybe it depends on the kernel you’re using. My current kernel version is 7.0.1-1, or is it the systemd version?

Same here…

╰─> uname -r
7.0.1-1-cachyos

╰─> pacman -Q systemd
systemd 260.1-2