[Bug 1933826] Re: default file permissions on bootloader configuration

Julian Andres Klode 1933826 at bugs.launchpad.net
Mon Jun 28 13:06:07 UTC 2021 

Fedora doesn't use grub-mkconfig after the initial install, but drops
https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/ files
into directories, so it's not entirely surprising their behavior is
different.

I'd say at the moment bootloader passwords are unsupported as IIRC,
there are issues with keyboard not working correctly in a bunch of
places. The use of them seems limited, given that you can just remove
the config entry given physical/pre-boot access. And encrypted /boot,
AFAICT, is also not supported.

Option 2 is a no go that might cause unbootable systems as you might end
up with an empty file in a crash.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

Status in grub2 package in Ubuntu:
  New

Bug description:
  CIS guidance for all distributions suggest securing grub bootloader
  configuration file permissions for two purposes:

  1. In general, arbitrary users shouldn't have access to read grub configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

  We suggest octal 0400 permissions for all systems, especially because
  we suggest bootloader passwords for level 2 compliance.

  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256

  (CIS benchmark section 1.4.1; available for free though does require a
  free login).

  There's two approaches I could see taken here:

  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.

  Note that this is a bug in grub2-mkconfig as it explicitly sets a
  umask and chmod's conditionally based on password applicability
  (though, to a level not otherwise suitable for our purposes).

  ---

  I am told the issue of overwriting permissions doesn't affect Fedora
  distributions and mostly impacts Ubuntu ones. This makes me suspect we
  either have an older version of grub2-mkconfig or some patches of our
  own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

More information about the foundations-bugs mailing list