default file permissions on bootloader configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Triaged
|
Undecided
|
Unassigned | ||
Jammy |
Triaged
|
Undecided
|
Unassigned |
Bug Description
CIS guidance for all distributions suggest securing grub bootloader configuration file permissions for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest octal 0400 permissions for all systems, especially because we suggest bootloader passwords for level 2 compliance.
For some information, see for instance: https:/
(CIS benchmark section 1.4.1; available for free though does require a free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing.
Note that this is a bug in grub2-mkconfig as it explicitly sets a umask and chmod's conditionally based on password applicability (though, to a level not otherwise suitable for our purposes).
---
I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.
summary: |
- default permissions on bootloader configuration + default file permissions on bootloader configuration |
description: | updated |
tags: | added: rls-ii-incoming |
tags: | added: fr-1491 |
tags: | removed: rls-ii-incoming |
Changed in grub2 (Ubuntu Impish): | |
status: | Confirmed → Fix Committed |
Changed in grub2 (Ubuntu Impish): | |
status: | Fix Released → Triaged |
Changed in grub2 (Ubuntu): | |
status: | Fix Released → Triaged |
Fedora doesn't use grub-mkconfig after the initial install, but drops https:/ /www.freedeskto p.org/wiki/ Specifications/ BootLoaderSpec/ files into directories, so it's not entirely surprising their behavior is different.
I'd say at the moment bootloader passwords are unsupported as IIRC, there are issues with keyboard not working correctly in a bunch of places. The use of them seems limited, given that you can just remove the config entry given physical/pre-boot access. And encrypted /boot, AFAICT, is also not supported.
Option 2 is a no go that might cause unbootable systems as you might end up with an empty file in a crash.