On Thu, Sep 26, 2013 at 1:45 AM, Kay Sievers <k...@vrfy.org> wrote: > On Thu, Sep 26, 2013 at 1:13 AM, Sébastien Luttringer <se...@seblu.net> wrote: >> On Thu, Sep 26, 2013 at 12:56 AM, Kay Sievers <k...@vrfy.org> wrote: >>> On Thu, Sep 26, 2013 at 12:38 AM, Tom Gundersen <t...@jklm.no> wrote: >>>> Force 0600 and root:root instead, to avoid problems with fat filesystems. >>> >>> Sounds fine to me, to enforce root permissions. >> >> Boot kernel was world readable, and it makes sense. Why making them >> root only readable is a good idea? > > Sure, 0644 sounds fine too. > >> If your /boot is a FAT filesystem, the world readable rights are >> handled by your mount options. >> On non UEFI systems, world readable rights set by kernel-install matter. > > Why would that matter? On non UEFI system your boot partition (when there is one) is almost _never_ FAT. It's a "decent" FS like ext{2,3,4} or anything that handle group and other permissions. With these FS, you cannot globally override the permissions set by kernel-install with a mount options to have these files world readable. Like with fat:
# mount -t vfat /dev/sda1 on /boot type vfat (rw,...,fmask=0133,dmask=0022,...) > >>> If people want special permissions, they can always drop-in their own >>> install.d/ callout to mangle them. >> This means maintain it's own generator, > > It's not a generator, they are different things in systemd. It would > just be a /usr/lib/kernel/install.d/*.install snippet. Yes it's a mistake, I realized too late, sorry. But, the meaning is the same, copy the /usr/lib/kernel/install.d/90-loaderentry.install into /etc and keep track of upgrades of the original file to only edit perms is waste of time. If a drop-in.d mechanism (for these scripts) is available... it's like killing a fly with a tank. > >> it's a bit boring for just >> being able to check the size of your installed kernel. > > Check the size and file permissions? You don't need access to check > its size, do you? True. And I don't remember me open these kernel files. What it make me bug is the message : Enforce root read only for /boot. To be coherent, this should also apply to directories and files in /boot. Thus, others *.install files will be inspired by what the default systemd scripts does. As a consequence, initrd hooks will make my initrd not readable. We can avoid that with a sane default here. >> The opposite logic seems more appropriate. > > 0644 sounds good to me too, sure, as long as we have a defined default. Sounds good! -- Sébastien "Seblu" Luttringer https://www.seblu.net GPG: 0x2072D77A _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel