Security warning when installing NixOS 23.11

koolean · January 2, 2024, 3:32pm

When installing NixOS 23.11 from the Minimal ISO image, I get 2 warnings:

⚠ Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠
⚠ Random seed file '/boot/loader/.#bootctlrandom-seedc5706ea22f8895b0' is world accessible, which is a security hole! ⚠

With a bit more context:

installing the boot loader...
setting up /etc...
Initializing machine ID from random generator.
Created "/boot/EFI".
Created "/boot/EFI/systemd".
Created "/boot/EFI/BOOT".
Created "/boot/loader".
Created "/boot/loader/entries".
Created "/boot/EFI/Linux".
Copied "/nix/store/i0sdqs34r68if9s4sfmpixnnj36npiwj-systemd-254.6/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi".
Copied "/nix/store/i0sdqs34r68if9s4sfmpixnnj36npiwj-systemd-254.6/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI".
⚠ Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠
⚠ Random seed file '/boot/loader/.#bootctlrandom-seedc5706ea22f8895b0' is world accessible, which is a security hole! ⚠
Random seed file /boot/loader/random-seed successfully written (32 bytes).
Successfully initialized system token in EFI variable with 32 bytes.
Created EFI boot entry "Linux Boot Manager".
setting up /etc...
setting up /etc...
setting root password...
New password:

The install works fine though.

Should I be worried about these warnings?

For info:

[root@nixos:/etc/nixos]# cat hardware-configuration.nix 
# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

{
  imports = [ ];

  boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "xhci_pci" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "rpool/root";
      fsType = "zfs";
    };

  fileSystems."/nix" =
    { device = "rpool/nix";
      fsType = "zfs";
    };

  fileSystems."/home" =
    { device = "rpool/home";
      fsType = "zfs";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/5F22-E176";
      fsType = "vfat";
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/340bf911-767f-4553-b70d-b62bb6543cc1"; }
    ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens33.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

[root@nixos:/etc/nixos]# cat configuration.nix 
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{ config, lib, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  boot.supportedFilesystems = [ "zfs" ];

  boot.zfs.forceImportRoot = false;
  boot.zfs.devNodes = "/dev/disk/by-path";

  networking.hostId = "c1bb35d6";
  networking.hostName = "nixos"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };

  # Enable the X11 windowing system.
  # services.xserver.enable = true;


  

  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;

  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.alice = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  #   packages = with pkgs; [
  #     firefox
  #     tree
  #   ];
  # };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    # wget
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "yes";
    };
  };

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?

}

ElvishJerricco · January 2, 2024, 4:17pm

See more here: Nixos-install with custom flake results in /boot being world accessible - #14 by ElvishJerricco

Basically, you should add options = ["umask=0077"]; to the /boot file system stanza. You can avoid the warning during installation too by mounting /mnt/boot with -o umask=0077 in the first place.

We should add this information to the nixos manual, but unfortunately nixos-generate-config currently wouldn’t include that option in the generated hardware-configuration.nix.

Overall, the warning is fairly harmless. This wasn’t warned about for many years, and so it’s very common for systems not to have this configured (which is why the manual hasn’t had this information before). But it is technically best practice to make sure that only root can read /boot using umask=0077, so systemd v254 included the new warning

willbush · January 28, 2024, 3:24am

Worth noting that the ESP must be a FAT partition, which does not support permissions, so the only way to actually close the security hole would be to encrypt /boot, or put the random seed file elsewhere. The umask setting is simply silencing the warning without addressing the underlying limitations of FAT.

https://github.com/NixOS/nixpkgs/issues/279362#issuecomment-1913126484

ElvishJerricco · January 28, 2024, 7:57am

I’ll copy my answer here for anyone who doesn’t open the link:

No, not at all. It’s true that it doesn’t change any permissions on-disk, because FAT doesn’t have permissions. But the only reason this is important is the first place is simply to keep non-root users from reading/writing the random-seed, which is accomplished with umask=0077. This is the intended solution upstream in systemd, as evidenced by the way systemd automounts the ESP.

You cannot encrypt the ESP or (reliably) use any other file system than FAT. UEFI includes protocols for accessing file systems that the firmware supports, which is how systemd-boot accesses /boot files. The UEFI spec only requires implementations to support plain FAT, so that’s the only kind of storage you can reliably expect systemd-boot to work with. In practice, it often supports NTFS, and you can load custom file system drivers like those from efifs, but 1) This is not the intended design, and 2) I’m not aware of any encrypted storage drivers for UEFI.

willbush · January 28, 2024, 8:24am

@ElvishJerricco Thanks for replying to that! That makes sense.