[Bug 1933826] Re: default file permissions on bootloader configuration
Alexander Scheel
1933826 at bugs.launchpad.net
Mon Jun 28 11:49:22 UTC 2021
** Summary changed:
- default permissions on bootloader configuration
+ default file permissions on bootloader configuration
** Description changed:
CIS guidance for all distributions suggest securing grub bootloader
- configuration for two purposes:
+ configuration file permissions for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
- We suggest 400 for all systems, especially in light that we suggest
- bootloader passwords for level 2 compliance.
+ We suggest octal 0400 permissions for all systems, especially because we
+ suggest bootloader passwords for level 2 compliance.
For some information, see for instance:
https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a
free login).
-
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS
guidance, which perhaps might be a good thing.
+ Note that this is a bug in grub2-mkconfig as it explicitly sets a umask
+ and chmod's conditionally based on password applicability (though, to a
+ level not otherwise suitable for our purposes).
- I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.
+ ---
+
+ I am told the issue of overwriting permissions doesn't affect Fedora
+ distributions and mostly impacts Ubuntu ones. This makes me suspect we
+ either have an older version of grub2-mkconfig or some patches of our
+ own.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826
Title:
default file permissions on bootloader configuration
Status in grub2 package in Ubuntu:
New
Bug description:
CIS guidance for all distributions suggest securing grub bootloader
configuration file permissions for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest octal 0400 permissions for all systems, especially because
we suggest bootloader passwords for level 2 compliance.
For some information, see for instance:
https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a
free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS
guidance, which perhaps might be a good thing.
Note that this is a bug in grub2-mkconfig as it explicitly sets a
umask and chmod's conditionally based on password applicability
(though, to a level not otherwise suitable for our purposes).
---
I am told the issue of overwriting permissions doesn't affect Fedora
distributions and mostly impacts Ubuntu ones. This makes me suspect we
either have an older version of grub2-mkconfig or some patches of our
own.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions
More information about the foundations-bugs
mailing list