Public bug reported: CIS guidance for all distributions suggest securing grub bootloader configuration for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general, 2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password. We suggest 400 for all systems, especially in light that we suggest bootloader passwords for level 2 compliance. For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256 (CIS benchmark section 1.4.1; available for free though does require a free login). There's two approaches I could see taken here: 1. Follow CIS by default and chmod to 400 after file creation, 2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents. The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing. I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own. ** Affects: grub2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1933826 Title: default permissions on bootloader configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
