Activity log for bug #1933826

Date Who What changed Old value New value Message
2021-06-28 11:33:37 Alexander Scheel bug added bug
2021-06-28 11:49:22 Alexander Scheel summary default permissions on bootloader configuration default file permissions on bootloader configuration
2021-06-28 11:51:17 Alexander Scheel description CIS guidance for all distributions suggest securing grub bootloader configuration for two purposes: 1. In general, arbitrary users shouldn't have access to read grub configuration in general, 2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password. We suggest 400 for all systems, especially in light that we suggest bootloader passwords for level 2 compliance. For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256 (CIS benchmark section 1.4.1; available for free though does require a free login). There's two approaches I could see taken here: 1. Follow CIS by default and chmod to 400 after file creation, 2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents. The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing. I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own. CIS guidance for all distributions suggest securing grub bootloader configuration file permissions for two purposes: 1. In general, arbitrary users shouldn't have access to read grub configuration in general, 2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password. We suggest octal 0400 permissions for all systems, especially because we suggest bootloader passwords for level 2 compliance. For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256 (CIS benchmark section 1.4.1; available for free though does require a free login). There's two approaches I could see taken here: 1. Follow CIS by default and chmod to 400 after file creation, 2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents. The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing. Note that this is a bug in grub2-mkconfig as it explicitly sets a umask and chmod's conditionally based on password applicability (though, to a level not otherwise suitable for our purposes). --- I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.
2021-06-28 19:11:43 Launchpad Janitor grub2 (Ubuntu): status New Confirmed
2021-06-28 19:13:49 Kenyon Ralph bug added subscriber Kenyon Ralph
2021-07-02 21:08:12 Brian Murray tags rls-ii-incoming
2021-07-08 18:07:50 Brian Murray tags rls-ii-incoming fr-1491 rls-ii-incoming
2021-07-08 18:08:32 Brian Murray nominated for series Ubuntu Impish
2021-07-08 18:08:32 Brian Murray bug task added grub2 (Ubuntu Impish)
2021-07-08 18:08:44 Brian Murray tags fr-1491 rls-ii-incoming fr-1491
2021-09-02 12:40:31 Julian Andres Klode grub2 (Ubuntu Impish): status Confirmed Fix Committed
2021-09-14 12:43:13 Launchpad Janitor grub2 (Ubuntu Impish): status Fix Committed Fix Released
2021-11-02 11:02:06 Julian Andres Klode grub2 (Ubuntu Impish): status Fix Released Triaged
2021-11-02 11:02:09 Julian Andres Klode grub2 (Ubuntu): status Fix Released Triaged
2021-11-02 11:02:14 Julian Andres Klode nominated for series Ubuntu Jammy
2021-11-02 11:02:14 Julian Andres Klode bug task added grub2 (Ubuntu Jammy)
2023-09-25 13:26:57 Julian Andres Klode grub2 (Ubuntu): status Triaged Fix Released