Ubuntu

EFI directory is insecure by default

Asked by Saurav Sengupta

The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure.

Is this is a security bug? It certainly makes the EFI directory vulnerable to tampering. Should this not be reported as a security vulnerability?

UPDATE: The bug reported for this question has been resolved and a fix has been released.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
actionparsnip
Solved:
Last query:
Last reply:
Revision history for this message
Best actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a security bug.

Revision history for this message
Saurav Sengupta (sauravz) said : 		#2

Re: Comment #1: Thank you. I have reported a security bug as you have suggested. However, a security bug report is private by default, whereas this question is public. I can find no way to mark a question private. I was unsure whether this qualified as a security issue, so I asked this question here.

Revision history for this message
Saurav Sengupta (sauravz) said : 		#3

The bug has been marked as confirmed, marking this question as solved.

Revision history for this message
Saurav Sengupta (sauravz) said : 		#4

Thanks actionparsnip, that solved my question.

Revision history for this message
Saurav Sengupta (sauravz) said : 		#5

Update: The bug reported for this question has been resolved and a fix has been released.