"bootctl install" outputs some warnings about /efi mount point and random seed file in the terminal

pebcak · August 1, 2023, 8:49pm

I needed to recreate my systemd-boot’s EFI boot entry in an oldish system converted from Grub.

I did a sudo bootctl install and I got the output here below:

Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/efi/EFI/BOOT/BOOTX64.EFI".
⚠️ Mount point '/efi' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/efi/loader/random-seed' is world accessible, which is a security hole! ⚠️
Random seed file /efi/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".

I have done a quick search in www but I haven’t found anything related to these warnings.

Does anyone know what these are about and how I could fix it?

drwxr-xr-x 8 root root 4096 Jan 1 1970 efi

ls -al /efi/loader/
total 24
drwxr-xr-x 3 root root 4096 Aug  1 22:27 .
drwxr-xr-x 8 root root 4096 Jan  1  1970 ..
drwxr-xr-x 2 root root 4096 Jun 16 19:22 entries
-rwxr-xr-x 1 root root    6 Sep 15  2022 entries.srel
-rwxr-xr-x 1 root root   71 Apr 26 20:47 loader.conf
-rwxr-xr-x 1 root root   32 Aug  1 22:27 random-seed

dalto · August 1, 2023, 8:53pm

sudo chmod o-rwx /efi/loader/random-seed
sudo chmod o-rwx /efi

pebcak · August 1, 2023, 9:02pm

Thank you so much @dalto for the swift reply!

I executed the two chmod commands.
I ran the bootctl install once again to test.
I’m still getting:

⚠️ Mount point '/efi' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/efi/loader/random-seed' is world accessible, which is a security hole! ⚠️

What am I missing?

dalto · August 1, 2023, 9:13pm

What does ls -ld /efi show?

pebcak · August 1, 2023, 9:16pm

$ ls -ld /efi
drwxr-xr-x 8 root root 4096 Jan  1  1970 /efi

It seems that the chmod command didn’t change any permissions?

dalto · August 1, 2023, 9:23pm

Hahaha…it is because it is fat32.

You need to change the permissions in /etc/fstab and remount it.

Maybe add fmask=0137,dmask=0027 to options.

pebcak · August 1, 2023, 9:29pm

Obvious now when you mention it

Will do right away and report back.

pebcak · August 1, 2023, 9:45pm

In /etc/fstab

UUID=5C1D-26F4 /efi vfat rw,relatime,fmask=0137,dmask=0027,errors=remount-ro 0 2

$ sudo bootctl install 
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/efi/EFI/BOOT/BOOTX64.EFI".
Random seed file /efi/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".

You did it! Again!
Thank you @dalto!

Marked it solved

anon49550872 · August 1, 2023, 11:25pm

This fixed for me too, thanks

system · August 3, 2023, 11:25pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.