EFI directory is insecure by default
The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure.
Is this is a security bug? It certainly makes the EFI directory vulnerable to tampering. Should this not be reported as a security vulnerability?
UPDATE: The bug reported for this question has been resolved and a fix has been released.
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Ubuntu Edit question
- Assignee:
- No assignee Edit question
- Solved by:
- actionparsnip
- Solved:
- Last query:
- Last reply: