[Bug 1933826] [NEW] default permissions on bootloader configuration
Alexander Scheel
1933826 at bugs.launchpad.net
Mon Jun 28 11:33:37 UTC 2021
Public bug reported:
CIS guidance for all distributions suggest securing grub bootloader
configuration for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest 400 for all systems, especially in light that we suggest
bootloader passwords for level 2 compliance.
For some information, see for instance:
https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a
free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS
guidance, which perhaps might be a good thing.
I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826
Title:
default permissions on bootloader configuration
Status in grub2 package in Ubuntu:
New
Bug description:
CIS guidance for all distributions suggest securing grub bootloader
configuration for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest 400 for all systems, especially in light that we suggest
bootloader passwords for level 2 compliance.
For some information, see for instance:
https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a
free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS
guidance, which perhaps might be a good thing.
I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions
More information about the foundations-bugs
mailing list