[Bug 1933826] Re: default file permissions on bootloader configuration

Alexander Scheel 1933826 at bugs.launchpad.net
Thu Jul 1 18:45:12 UTC 2021 

A few things to add to this discussion:

> I'd say at the moment bootloader passwords are unsupported as IIRC,
there are issues with keyboard not working correctly in a bunch of
places.

Yeah, I think this isn't meant as a true security _control_ (certainly
any matter of physical access yields many ways). But it is a defense-in-
depth type measure that at least slows down someone with physical
access. Definitely agree things like Bluetooth keyboards will probably
never work.

Another way of looking at it is a permission separation model where,
e.g., a legitimate employee might not have access to change bootloader
on their own machine (think: corporate managed device) whereas someone
in IT might.

To clarify further, we also recommend the use of --unrestricted, whereby
password is only required for modifying configuration and not booting at
all.


The CIS community also generally feels that other parameters in there might be relevant to protect, hence the suggestion to chmod 400 all the time, rather than conditionally based on password.


>From that context, in my mind, I think that this still justifies the permission changes by default and not chmod back to 444 without a password being present.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

Status in grub2 package in Ubuntu:
  Confirmed

Bug description:
  CIS guidance for all distributions suggest securing grub bootloader
  configuration file permissions for two purposes:

  1. In general, arbitrary users shouldn't have access to read grub configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

  We suggest octal 0400 permissions for all systems, especially because
  we suggest bootloader passwords for level 2 compliance.

  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256

  (CIS benchmark section 1.4.1; available for free though does require a
  free login).

  There's two approaches I could see taken here:

  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.

  Note that this is a bug in grub2-mkconfig as it explicitly sets a
  umask and chmod's conditionally based on password applicability
  (though, to a level not otherwise suitable for our purposes).

  ---

  I am told the issue of overwriting permissions doesn't affect Fedora
  distributions and mostly impacts Ubuntu ones. This makes me suspect we
  either have an older version of grub2-mkconfig or some patches of our
  own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

More information about the foundations-bugs mailing list