Your message dated Sat, 11 Aug 2018 20:49:03 +0100
with message-id <d7aa562f7c1667fd76093aaf9211ffa933abb0b1.ca...@decadent.org.uk>
and subject line Re: Bug#905920: (no subject)
has caused the Debian Bug report #905920,
regarding (no subject)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
905920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905920
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: initramfs-tools
Version: 0.131ubuntu8
Severity: normal
Tags: security
I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to avoid typing
password for the second time after GRUB2 added `keyscript` option to
`/etc/crypttab`.
Keyscript file is only readable by root, however, resulting `initrd.img*` file
is readable by anyone, which I think is a security issue.
I'd like to see `initrd.img*` files to also be readable by root user only.
-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 53M Aug 11 19:50 /boot/initrd.img-4.17.0-5-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-6-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-7-generic
-- /proc/cmdline
BOOT_IMAGE=/root/boot/vmlinuz-4.17.0-5-generic
root=UUID=5170aca4-061a-4c6c-ab00-bd7fc8ae6030 ro rootflags=subvol=root
nosplash intel_pstate=disable scsi_mod.use_blk_mq=1 intel_iommu=on
i915.fastboot=1
-- /etc/crypttab
# <target name> <source device> <key file> <options>
system UUID=739967f1-9770-470a-a031-8d8b8bcdb350 none
luks,discard,keyscript=/etc/cryptroot/system.64.sh
-- System Information:
Debian Release: buster/sid
APT prefers cosmic-proposed
APT policy: (500, 'cosmic-proposed'), (500, 'cosmic')
Architecture: amd64 (x86_64)
--- End Message ---
--- Begin Message ---
On Sat, 2018-08-11 at 21:07 +0300, Nazar Mokrynskyi wrote:
> Package: initramfs-tools
> Version: 0.131ubuntu8
> Severity: normal
> Tags: security
>
> I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to
> avoid typing password for the second time after GRUB2 added
> `keyscript` option to `/etc/crypttab`.
> Keyscript file is only readable by root, however, resulting
> `initrd.img*` file is readable by anyone, which I think is a security
> issue.
> I'd like to see `initrd.img*` files to also be readable by root user
> only.
Set the UMASK paramter, documented in initramfs.conf(5).
Ben.
--
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
