On Sat, 18 Sep 2021 at 17:04:41 +0200, Guilhem Moulin wrote: > I don't see why it makes more sense to og-rwx /etc/crypttab by default > compared to /etc/fstab or /etc/systemd/system. If that makes sense in > YOUR environment, then YOU are free to do it manually
Note however that if cryptsetup-initramfs is installed, and some disks need to be unlocked at early boot, then a crypttab snippet is included in the initramfs image. That image is world-readable by default, so extra steps need to be taken not to leak data. Perhaps update-initramfs should error out when it's about to generate a world-readable image containing files/directories with restrictions, but it doesn't AFAIK. -- Guilhem.
signature.asc
Description: PGP signature