basecamp · kuro-toji · Apr 24, 2026 · Copilot · Apr 24, 2026 · Copilot
diff --git a/install/config/boot-permissions-fix.sh b/install/config/boot-permissions-fix.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# The random seed file and /boot mount should not be world accessible
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Fix /boot directory permissions (should be 700)
+sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+# Fix random-seed file permissions if it exists
+if [[ -f /boot/loader/random-seed ]]; then
+  sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+fi
+
+# Ensure /boot is mounted with proper permissions
+# Add to fstab if not already present with correct options
+if ! grep -q "^/boot" /etc/fstab 2>/dev/null; then
+  echo "Warning: /boot is not in fstab, permissions may not persist"
-# Fix /boot directory permissions (should be 700)
-sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
-
-# Fix random-seed file permissions if it exists
-if [[ -f /boot/loader/random-seed ]]; then
-  sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
-fi
-
-# Ensure /boot is mounted with proper permissions
-# Add to fstab if not already present with correct options
-if ! grep -q "^/boot" /etc/fstab 2>/dev/null; then
-  echo "Warning: /boot is not in fstab, permissions may not persist"
+boot_fs_type=""
+boot_mount_options=""
+
+if command -v findmnt &>/dev/null && findmnt -n --target /boot &>/dev/null; then
+  boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)"
+  boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+fi
+
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  echo "/boot is mounted on $boot_fs_type; applying mount masks because chmod may not change effective permissions"
+
+  if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then
+    echo "/boot already has restrictive mount options"
+  else
+    sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Could not remount /boot with restrictive permissions"
+  fi
+
+  # chmod is not reliable on FAT-family filesystems; effective permissions come from mount options
+  if grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+' /etc/fstab 2>/dev/null; then
+    if ! grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+[^[:space:]]+[[:space:]]+[^#[:space:]]*(umask=0077|dmask=0077[^#[:space:]]*fmask=0177|fmask=0177[^#[:space:]]*dmask=0077)' /etc/fstab 2>/dev/null; then
+      echo "Warning: /boot is in fstab without restrictive mount options; add dmask=0077,fmask=0177 (or umask=0077) for persistence"
+    fi
+  else
+    echo "Warning: /boot is not in fstab, restrictive mount options may not persist"
+  fi
+else
+  # Fix /boot directory permissions (should be 700)
+  sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+  # Fix random-seed file permissions if it exists
+  if [[ -f /boot/loader/random-seed ]]; then
+    sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+  fi
+
+  # Ensure /boot is mounted with proper permissions
+  # Add to fstab if not already present with correct options
+  if ! grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+' /etc/fstab 2>/dev/null; then
+    echo "Warning: /boot is not in fstab, permissions may not persist"
+  fi
-# Fix /boot directory permissions (should be 700)
-sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
-
-# Fix random-seed file permissions if it exists
-if [[ -f /boot/loader/random-seed ]]; then
-  sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
-fi
-
-# Ensure /boot is mounted with proper permissions
-# Add to fstab if not already present with correct options
-if ! grep -q "^/boot" /etc/fstab 2>/dev/null; then
-  echo "Warning: /boot is not in fstab, permissions may not persist"
+boot_fs_type=""
+boot_mount_options=""
+
+if command -v findmnt &>/dev/null && findmnt -n --target /boot &>/dev/null; then
+  boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)"
+  boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+fi
+
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  echo "/boot is mounted on $boot_fs_type; applying mount masks because chmod may not change effective permissions"
+
+  if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then
+    echo "/boot already has restrictive mount options"
+  else
+    sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Could not remount /boot with restrictive permissions"
+  fi
+
+  # chmod is not reliable on FAT-family filesystems; effective permissions come from mount options
+  if grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+' /etc/fstab 2>/dev/null; then
+    if ! grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+[^[:space:]]+[[:space:]]+[^#[:space:]]*(umask=0077|dmask=0077[^#[:space:]]*fmask=0177|fmask=0177[^#[:space:]]*dmask=0077)' /etc/fstab 2>/dev/null; then
+      echo "Warning: /boot is in fstab without restrictive mount options; add dmask=0077,fmask=0177 (or umask=0077) for persistence"
+    fi
+  else
+    echo "Warning: /boot is not in fstab, restrictive mount options may not persist"
+  fi
+else
+  # Fix /boot directory permissions (should be 700)
+  sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+  # Fix random-seed file permissions if it exists
+  if [[ -f /boot/loader/random-seed ]]; then
+    sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+  fi
+
+  # Ensure /boot is mounted with proper permissions
+  # Add to fstab if not already present with correct options
+  if ! grep -Eq '^[^#[:space:]]+[[:space:]]+/boot[[:space:]]+' /etc/fstab 2>/dev/null; then
+    echo "Warning: /boot is not in fstab, permissions may not persist"
+  fi
+fi
+
+# Disable bootctl random seed generation warnings by setting correct permissions
+if command -v bootctl &>/dev/null; then
+  # Run bootctl with proper environment to set correct permissions
+  sudo bootctl random-seed 2>/dev/null || true
+fi
+
+echo "Boot permissions fix complete!"
diff --git a/migrations/1777007500.sh b/migrations/1777007500.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Check filesystem type of /boot
+boot_fs_type=""
+boot_mount_options=""
+
+if command -v findmnt &>/dev/null && findmnt -n --target /boot &>/dev/null; then
+  boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)"
+  boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+fi
+
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  echo "/boot is on $boot_fs_type filesystem; applying mount masks"
+
+  # Check if already has restrictive options
+  if [[ "$boot_mount_options" == *"umask=0077"* ]] || \
+     ([[ "$boot_mount_options" == *"dmask=0077"* ]] && [[ "$boot_mount_options" == *"fmask=0177"* ]]); then
+    echo "✓ /boot already has restrictive mount options"
+  else
+    # Try to remount with restrictive options
+    sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Warning: Could not remount /boot with restrictive permissions"
+  fi
+
+  # chmod is not reliable on FAT, but try anyway for the random-seed file
+  if [[ -f /boot/loader/random-seed ]]; then
+    sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Warning: Could not change random-seed permissions on FAT"
+  fi
+else
+  # Fix /boot directory permissions for non-FAT filesystems
+  sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+  # Fix random-seed file permissions
+  if [[ -f /boot/loader/random-seed ]]; then
+    sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+  fi
+fi
+
+# Verify the fix
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  new_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+  if [[ "$new_options" == *"umask=0077"* ]] || \
+     ([[ "$new_options" == *"dmask=0077"* ]] && [[ "$new_options" == *"fmask=0177"* ]]); then
+    echo "✓ /boot mount options fixed"
+  fi
+else
+  if [[ $(stat -c %a /boot 2>/dev/null) == "700" ]]; then
+    echo "✓ /boot permissions fixed to 700"
+  fi
+fi
+
+# Notify user (with error handling)
+if command -v notify-send >/dev/null 2>&1 && [[ -n "${DBUS_SESSION_BUS_ADDRESS:-}" ]]; then
+  notify-send "Boot permissions fixed" "Security improvement applied to /boot" 2>/dev/null || true
+fi