[Bug 248843] Re: grub config file should not be world readable

Launchpad Bug Tracker 248843 at bugs.launchpad.net
Sun Feb 11 07:11:50 UTC 2018 

This bug was fixed in the package tiger - 1:3.2.4~rc1-1

---------------
tiger (1:3.2.4~rc1-1) unstable; urgency=low

  * debian/postrm: Remove depth in find when purging to avoid warnings
    (LP: #665453)
  * debian/source/format: Explicitly define the source format. Set as 1.0
    since the package will not use quilt as Savannah upstream is directly
    packaged into Debian
  * debian/rules: Fix FTCBFS: Let dh_auto_configure pass --host to ./configure.
    (Closes: #888041)
  * util/convert2html, util/genmsgidx: make the build reproducible with patch
    provided by  Alexis Bienvenüe (Closes: #828226)
  * Include content from GIT upstream (3.2.4rc1 release):
     - systems/Linux/2/gen_mounts: Added fuse.clamfs and fuse.javafs
       filesystems (LP: #1204527, #1305057)
     - systems/Linux/2/check_release:
         + Update Debian version, current stable is 9.3 and list of old Debian
         versions 
         + Add support to check for RHEL and Ubuntu releases. Now Ubuntu is no
         longer considered a Debian "unstable" version (LP: #248845)
     - scripts/check_accounts: Optimise as per suggestion by Arran Schlosberg
     - scripts/check_crontabs: Clean up gen_cron file content before it is used
       (Closes: #839635)
     - systems/Linux/2/check_lilo: Only complain if grub is world readable
        when it has a password configured (LP: #248843). 
        Look for grub in the proper location (as used in Grub 2)
     - systems/Linux/2/check_release:  Update Debian version, current stable is
       9.3 and list of old Debian versions. Add support to check for RHEL and
       Ubuntu releases. Ubuntu is no longer considered a Debian "unstable"
       version (LP: #248845)
     - systems/Linux/2/deb_checkmd5sums: Optimise by avoiding checking files in
       /usr/share/
     - tigerrc: Set +Tiger_Check_TRUSTED to 'N' (Closes: #722629)

 -- Javier Fernández-Sanguino Peña <jfs at debian.org>  Sat, 10 Feb 2018
22:57:09 +0100

** Changed in: tiger (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/248843

Title:
  grub config file should not be world readable

Status in Tiger:
  Unknown
Status in grub2 package in Ubuntu:
  Fix Released
Status in tiger package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: grub

  tiger emits these two notices:
  # --WARN-- [boot02] The configuration file /boot/grub/menu.lst has group permissions. Should be 0600
  # --FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world permissions. Should be 0600

  I'm inclined to agree that menu.lst should not be world-readable to
  protect the (optional) password hash there-in from dictionary cracking
  attempts. This should be fixed in grub.

  I see no reason to worry about it having root group access. This
  should be fixed in tiger.

  Grub2's /boot/grub/grub.cfg also is world readable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/tiger/+bug/248843/+subscriptions

More information about the foundations-bugs mailing list