Restrict permissions on /boot to protect the random seed.

2024-09-13 10:31:44 +01:00
parent 8588d7f09f
commit 4e24ac988f
5 changed files with 7 additions and 1 deletions
--- a/hosts/c2/hardware.nix
+++ b/hosts/c2/hardware.nix
@@ -39,6 +39,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B543-374F";
      fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = pkgs.lib.mkForce [ {