[Bug 1933826] Re: default file permissions on bootloader configuration

Dimitri John Ledkov 1933826 at bugs.launchpad.net
Thu Jul 15 17:40:02 UTC 2021 

we currently do chain grub.cfg from ESP to boot partition, can the
password be set in that grub.cfg file instead? which today is outside of
the scope of grub-mkconfig management.

And that grub is protected with restrictive mount options of ESP, see
/boot/efi/EFI/ubuntu/grub.cfg

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

Status in grub2 package in Ubuntu:
  Confirmed
Status in grub2 source package in Impish:
  Confirmed

Bug description:
  CIS guidance for all distributions suggest securing grub bootloader
  configuration file permissions for two purposes:

  1. In general, arbitrary users shouldn't have access to read grub configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

  We suggest octal 0400 permissions for all systems, especially because
  we suggest bootloader passwords for level 2 compliance.

  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256

  (CIS benchmark section 1.4.1; available for free though does require a
  free login).

  There's two approaches I could see taken here:

  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.

  Note that this is a bug in grub2-mkconfig as it explicitly sets a
  umask and chmod's conditionally based on password applicability
  (though, to a level not otherwise suitable for our purposes).

  ---

  I am told the issue of overwriting permissions doesn't affect Fedora
  distributions and mostly impacts Ubuntu ones. This makes me suspect we
  either have an older version of grub2-mkconfig or some patches of our
  own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

More information about the foundations-bugs mailing list