** Summary changed:

- default permissions on bootloader configuration
+ default file permissions on bootloader configuration

** Description changed:

  CIS guidance for all distributions suggest securing grub bootloader
- configuration for two purposes:
+ configuration file permissions for two purposes:
  
  1. In general, arbitrary users shouldn't have access to read grub 
configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still 
prefer a principle of least-privilege, and prevent most users from having easy, 
ready access to the hashed password.
  
- We suggest 400 for all systems, especially in light that we suggest
- bootloader passwords for level 2 compliance.
+ We suggest octal 0400 permissions for all systems, especially because we
+ suggest bootloader passwords for level 2 compliance.
  
  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256
  
  (CIS benchmark section 1.4.1; available for free though does require a
  free login).
- 
  
  There's two approaches I could see taken here:
  
  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify 
(truncate+write) to the correct contents.
  
  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.
  
+ Note that this is a bug in grub2-mkconfig as it explicitly sets a umask
+ and chmod's conditionally based on password applicability (though, to a
+ level not otherwise suitable for our purposes).
  
- I am told the issue of overwriting permissions doesn't affect Fedora 
distributions and mostly impacts Ubuntu ones. This makes me suspect we either 
have an older version of grub2-mkconfig or some patches of our own.
+ ---
+ 
+ I am told the issue of overwriting permissions doesn't affect Fedora
+ distributions and mostly impacts Ubuntu ones. This makes me suspect we
+ either have an older version of grub2-mkconfig or some patches of our
+ own.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to