Comment 0 for bug 1933826

CIS guidance for all distributions suggest securing grub bootloader configuration for two purposes:

1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

We suggest 400 for all systems, especially in light that we suggest bootloader passwords for level 2 compliance.

For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256

(CIS benchmark section 1.4.1; available for free though does require a free login).

There's two approaches I could see taken here:

1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing.

I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own.