Skip to content

/boot/efi permissions are too open

systemd-boot tools will warn about the issues with the current configuration, e.g.

root@foo-configdrive:/boot/efi/EFI/Linux# bootctl random-seed 
⚠ Mount point '/boot/efi' which backs the random seed file is world accessible, which is a security hole! ⚠
⚠ Random seed file '/boot/efi/loader/random-seed' is world accessible, which is a security hole! ⚠

We should ensure that /boot/efi is mounted without world-readable permissions. I'm proposing 0700.