From d3a57a0853de1a4a03b4ae1fbfa8bc59dc01b217 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 16 Jun 2025 23:28:57 +0100
Subject: [PATCH] fstab-generator: set mode=0755 with root=tmpfs

If mode= is not set in rootflags= add mode=0755 when a tmpfs
is used on the rootfs, otherwise it will be group/world writable
as that's the default mode for tmpfs filesystems.

Follow-up for 725ad3b06288b2beeaaf178120010612a30646e4
---
 src/fstab-generator/fstab-generator.c                          | 2 ++
 test/test-fstab-generator/test-16-tmpfs.expected/sysroot.mount | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
index 8c9352c3492..3a3af31a494 100644
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -1197,6 +1197,8 @@ static int add_sysroot_mount(void) {
                         return log_oom();
 
                 fstype = arg_root_fstype ?: "tmpfs"; /* tmpfs, unless overridden */
+                if (streq(fstype, "tmpfs") && !fstab_test_option(arg_root_options, "mode\0"))
+                        extra_opts = "mode=0755"; /* root directory should not be world/group writable, unless overridden */
         } else {
 
                 what = fstab_node_to_udev_node(arg_root_what);
diff --git a/test/test-fstab-generator/test-16-tmpfs.expected/sysroot.mount b/test/test-fstab-generator/test-16-tmpfs.expected/sysroot.mount
index 99728fd0ca3..4d8b0fee3ad 100644
--- a/test/test-fstab-generator/test-16-tmpfs.expected/sysroot.mount
+++ b/test/test-fstab-generator/test-16-tmpfs.expected/sysroot.mount
@@ -10,4 +10,4 @@ After=imports.target
 What=rootfs
 Where=/sysroot
 Type=tmpfs
-Options=rw
+Options=rw,mode=0755
-- 
2.47.3