Package: initramfs-tools
Version: 0.131ubuntu8
Severity: normal
Tags: security

I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to avoid typing 
password for the second time after GRUB2 added `keyscript` option to 
`/etc/crypttab`.
Keyscript file is only readable by root, however, resulting `initrd.img*` file 
is readable by anyone, which I think is a security issue.
I'd like to see `initrd.img*` files to also be readable by root user only.

-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 53M Aug 11 19:50 /boot/initrd.img-4.17.0-5-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-6-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-7-generic
-- /proc/cmdline
BOOT_IMAGE=/root/boot/vmlinuz-4.17.0-5-generic 
root=UUID=5170aca4-061a-4c6c-ab00-bd7fc8ae6030 ro rootflags=subvol=root 
nosplash intel_pstate=disable scsi_mod.use_blk_mq=1 intel_iommu=on 
i915.fastboot=1

-- /etc/crypttab
# <target name> <source device>         <key file>      <options>
system UUID=739967f1-9770-470a-a031-8d8b8bcdb350 none 
luks,discard,keyscript=/etc/cryptroot/system.64.sh

-- System Information:
Debian Release: buster/sid
  APT prefers cosmic-proposed
  APT policy: (500, 'cosmic-proposed'), (500, 'cosmic')
Architecture: amd64 (x86_64)

Reply via email to