Package: initramfs-tools Version: 0.140 Severity: normal Tags: security
Hi. AFAIU, the UMASK option is there for cases like e.g. when dm-crypt keys are included in the initramfs. I played a bit with it, and found that it already doesn't just affect the final initramfs image, but also parts below /var/tmp/mkinitramfs_*/ . With "parts" I mean: - the top level temp dir (/var/tmp/mkinitramfs_*/) is still world-readable - and even below that, only directories seem affected, while files included e.g. via copy_file are not. So I think,the top level dir should be created with the UMASK as well, or perhaps even generally with root ownership ... That should also protect all files not added with initramfs-tools functions, as well as files included with copy_file but at the root of the initramfs (which is the top level temp dir... so no intermediate dir would get created with a securing UMASK). Thanks, Chris.
