[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default

Tue, 18 Nov 2014 06:46:54 -0800 

This bug was fixed in the package partman-efi - 25ubuntu7

---------------
partman-efi (25ubuntu7) vivid; urgency=medium

  * fstab.d/efi: force umask in mount options to ensure directory never
    ends up with incorrect permissions. (LP: #1390183)
 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>   Tue, 18 Nov 2014 08:39:09 
-0500

** Changed in: partman-efi (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mountall in Ubuntu.
https://bugs.launchpad.net/bugs/1390183

Title:
  EFI directory is insecure by default

Status in “mountall” package in Ubuntu:
  Fix Released
Status in “partman-efi” package in Ubuntu:
  Fix Released
Status in “partman-efi” package in Debian:
  Unknown

Bug description:
  The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by
  default. It has permissions/mode 0777 (rwx for all). This makes the
  directory very vulnerable to tampering. Although it may be possible to
  repair damage to this directory externally if the system becomes
  unbootable due to such damage, having to do this is undesirable and
  usually not easy for most users. Distributions other than Ubuntu may
  also be having this issue, I have not checked, but some distributions
  enable secure permissions by default (e.g., Fedora). One (or maybe the
  only) reason for the default configuration being the way it is may be
  that the EFI partition uses a FAT file system. However, enabling a
  umask through /etc/fstab as in Fedora, e.g., umask=0077, should make
  it much more secure.

  Ubuntu 14.10 Utopic Unicorn (x86_64/amd64)

  Expected default configuration:-
  A critical system directory such as /boot/efi should be inaccessible to 
non-root users by default.

  Actual default configuration:-
  The EFI directory /boot/efi is accessible to all users irrespective of the 
user account's privileges (permission mode 0777/rwxrwxrwx).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to