← Back to team overview

touch-packages team mailing list archive

[Bug 1390183] Re: EFI directory is insecure by default

 

** Changed in: partman-efi (Debian)
       Status: Unknown => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mountall in Ubuntu.
https://bugs.launchpad.net/bugs/1390183

Title:
  EFI directory is insecure by default

Status in “mountall” package in Ubuntu:
  Fix Released
Status in “partman-efi” package in Ubuntu:
  Fix Released
Status in “partman-efi” package in Debian:
  Fix Committed

Bug description:
  The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by
  default. It has permissions/mode 0777 (rwx for all). This makes the
  directory very vulnerable to tampering. Although it may be possible to
  repair damage to this directory externally if the system becomes
  unbootable due to such damage, having to do this is undesirable and
  usually not easy for most users. Distributions other than Ubuntu may
  also be having this issue, I have not checked, but some distributions
  enable secure permissions by default (e.g., Fedora). One (or maybe the
  only) reason for the default configuration being the way it is may be
  that the EFI partition uses a FAT file system. However, enabling a
  umask through /etc/fstab as in Fedora, e.g., umask=0077, should make
  it much more secure.

  Ubuntu 14.10 Utopic Unicorn (x86_64/amd64)

  Expected default configuration:-
  A critical system directory such as /boot/efi should be inaccessible to non-root users by default.

  Actual default configuration:-
  The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions