[Bug 1933826] Re: default file permissions on bootloader configuration

Julian Andres Klode 1933826 at bugs.launchpad.net
Thu Sep 2 12:40:31 UTC 2021 

** Changed in: grub2 (Ubuntu Impish)
       Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

Status in grub2 package in Ubuntu:
  Fix Committed
Status in grub2 source package in Impish:
  Fix Committed

Bug description:
  CIS guidance for all distributions suggest securing grub bootloader
  configuration file permissions for two purposes:

  1. In general, arbitrary users shouldn't have access to read grub configuration in general,
  2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.

  We suggest octal 0400 permissions for all systems, especially because
  we suggest bootloader passwords for level 2 compliance.

  For some information, see for instance:
  https://workbench.cisecurity.org/sections/784579/recommendations/1284256

  (CIS benchmark section 1.4.1; available for free though does require a
  free login).

  There's two approaches I could see taken here:

  1. Follow CIS by default and chmod to 400 after file creation,
  2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.

  The latter would make grub2-mkconfig aganostic of the actual CIS
  guidance, which perhaps might be a good thing.

  Note that this is a bug in grub2-mkconfig as it explicitly sets a
  umask and chmod's conditionally based on password applicability
  (though, to a level not otherwise suitable for our purposes).

  ---

  I am told the issue of overwriting permissions doesn't affect Fedora
  distributions and mostly impacts Ubuntu ones. This makes me suspect we
  either have an older version of grub2-mkconfig or some patches of our
  own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions

More information about the foundations-bugs mailing list