[Bug 1933826] Re: default file permissions on bootloader configuration

Julian Andres Klode 1933826 at bugs.launchpad.net
Mon Jun 28 13:07:34 UTC 2021 

FWIW, we explicitly ship a patch to make the file world-readable if it
does not contain a password.

From: Colin Watson <cjwatson at debian.org>
Date: Mon, 13 Jan 2014 12:12:55 +0000
Subject: Make grub.cfg world-readable if it contains no passwords

Patch-Name: grub.cfg-400.patch
---
 util/grub-mkconfig.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 9f477ff..45cd4cc 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -276,6 +276,10 @@ for i in "${grub_mkconfig_dir}"/* ; do
   esac
 done
 
+if [ "x${grub_cfg}" != "x" ] && ! grep "^password" ${grub_cfg}.new >/dev/null; then
+  chmod 444 ${grub_cfg}.new || true
+fi

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

Status in grub2 package in Ubuntu:
  New

Bug description:
  CIS guidance for all distributions suggest securing grub bootloader
  configuration file permissions for two purposes:

  1. In general, arbitrary users shouldn't have access to read grub configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

  We suggest octal 0400 permissions for all systems, especially because
  we suggest bootloader passwords for level 2 compliance.

  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256

  (CIS benchmark section 1.4.1; available for free though does require a
  free login).

  There's two approaches I could see taken here:

  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.

  Note that this is a bug in grub2-mkconfig as it explicitly sets a
  umask and chmod's conditionally based on password applicability
  (though, to a level not otherwise suitable for our purposes).

  ---

  I am told the issue of overwriting permissions doesn't affect Fedora
  distributions and mostly impacts Ubuntu ones. This makes me suspect we
  either have an older version of grub2-mkconfig or some patches of our
  own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

More information about the foundations-bugs mailing list