On Sun, Aug 06, 2006 at 05:06:41PM +0200, Lionel Elie Mamane wrote: > On Wed, Jul 26, 2006 at 12:03:23PM +0200, Max Vozeler wrote: >> On Tue, Jul 18, 2006 at 09:42:49PM +0200, Lionel Elie Mamane wrote:
>>>> More importantly: The initramfs file in /boot is by default >>>> world-readable. If we copy root.gpg into it, it will be readable >>>> by all users. Same for files in $rootgpghome. >>> I don't see any reason he wouldn't take a patch for both these >>> things. Having temp files 0600 wouldn't hurt, so we could have he >>> patch do it always. As for the initrd.img-$foo file, ... any reason >>> not to also always do it? >> I can't think of reasons against it. We should talk with >> Maximillian Attems what he thinks can be done. >> I've had a quick look at the available hooks today. (...) And it'd >> be nicer of course if there was support directly in >> initramfs-tools. >> At the start of mkinitramfs umask is initialized to 0022. > I've filed a bug to ask it to be initialised to 0077. Simplest, > easiest. OK, he's reluctant to have it done unconditionally, so I made it a configuration option. Here is the loop-aes-utils side of that (untested, roughly done), assuming he takes my second patch. The question is, do we want to do it unconditionally when loop-aes-utils is installed? Should we rather duplicate (or move) the logic checking for "is the root on encrypted root?" to /etc/initramfs-tools/conf.d/loopaes? -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
