** Summary changed: - default permissions on bootloader configuration + default file permissions on bootloader configuration
** Description changed: CIS guidance for all distributions suggest securing grub bootloader - configuration for two purposes: + configuration file permissions for two purposes: 1. In general, arbitrary users shouldn't have access to read grub configuration in general, 2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password. - We suggest 400 for all systems, especially in light that we suggest - bootloader passwords for level 2 compliance. + We suggest octal 0400 permissions for all systems, especially because we + suggest bootloader passwords for level 2 compliance. For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256 (CIS benchmark section 1.4.1; available for free though does require a free login). - There's two approaches I could see taken here: 1. Follow CIS by default and chmod to 400 after file creation, 2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents. The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing. + Note that this is a bug in grub2-mkconfig as it explicitly sets a umask + and chmod's conditionally based on password applicability (though, to a + level not otherwise suitable for our purposes). - I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own. + --- + + I am told the issue of overwriting permissions doesn't affect Fedora + distributions and mostly impacts Ubuntu ones. This makes me suspect we + either have an older version of grub2-mkconfig or some patches of our + own. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1933826 Title: default file permissions on bootloader configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
