Restrict permissions on /boot to protect the random seed.

2024-09-13 10:31:44 +01:00
parent 8588d7f09f
commit 4e24ac988f
5 changed files with 7 additions and 1 deletions
--- a/hosts/alo-cloud-1/hardware.nix
+++ b/hosts/alo-cloud-1/hardware.nix
@@ -36,6 +36,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/FF9C-DC81";
      fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = [ {