From 98cb263b83e6f4eb2b338db7052a289bb7367de2 Mon Sep 17 00:00:00 2001 From: 0xdeadd Date: Thu, 30 Apr 2026 17:16:11 -0400 Subject: [PATCH] fix: restrict EFI partition permissions with fmask/dmask=0077 Mount the ESP with fmask=0077 and dmask=0077 to prevent world-readable files like /efi/loader/random-seed. Closes #4241 --- archinstall/lib/installer.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py index 44a10eb2d4..676bc0fd48 100644 --- a/archinstall/lib/installer.py +++ b/archinstall/lib/installer.py @@ -375,7 +375,14 @@ def _mount_partition(self, part_mod: PartitionModification) -> None: # it would be none if it's btrfs as the subvolumes will have the mountpoints defined if part_mod.mountpoint: target = self.target / part_mod.relative_mountpoint - mount(part_mod.dev_path, target, options=part_mod.mount_options) + options = list(part_mod.mount_options) + + if part_mod.is_efi(): + for opt in ('fmask=0077', 'dmask=0077'): + if opt not in options: + options.append(opt) + + mount(part_mod.dev_path, target, options=options) elif part_mod.fs_type == FilesystemType.BTRFS: # Only mount BTRFS subvolumes that have mountpoints specified subvols_with_mountpoints = [sv for sv in part_mod.btrfs_subvols if sv.mountpoint is not None]