registry team mailing list archive

Thread
Date

[Bug 248843] Re: grub config file should not be world readable

To: registry@xxxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Wed, 24 Nov 2010 21:41:12 -0000
Reply-to: Bug 248843 <248843@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm happy with GRUB's current practice on this, expressed in this code:

if test "x${grub_cfg}" != "x"; then
  rm -f ${grub_cfg}.new
  exec > ${grub_cfg}.new

  # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
  # firmware implementations (e.g. OFW or EFI).
  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
  This means that if the generated config contains a password it is readable by everyone"
fi
echo "Generating grub.cfg ..." >&2

[...]

if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
  chmod 444 ${grub_cfg}.new || true
fi

In other words, if you use the password command then it's secret,
otherwise it's world-readable.  As to why we don't make it world-
unreadable in general, nothing else in there is normally secret, so
there's really no reason to do so - it would just annoy people.
*Excessive* security tends to be a net loss.  If you have special
requirements then you can of course dpkg-divert /usr/sbin/update-grub
and add a wrapper which sets the privileges you want.

** Changed in: grub2 (Ubuntu)
       Status: Triaged => Fix Released

-- 
grub config file should not be world readable
https://bugs.launchpad.net/bugs/248843
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Tiger.