touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #34728
[Bug 1390183] Re: EFI directory is insecure by default
Thanks for reporting it! :)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mountall in Ubuntu.
https://bugs.launchpad.net/bugs/1390183
Title:
EFI directory is insecure by default
Status in “mountall” package in Ubuntu:
Fix Released
Status in “partman-efi” package in Ubuntu:
Fix Released
Status in “partman-efi” package in Debian:
Unknown
Bug description:
The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by
default. It has permissions/mode 0777 (rwx for all). This makes the
directory very vulnerable to tampering. Although it may be possible to
repair damage to this directory externally if the system becomes
unbootable due to such damage, having to do this is undesirable and
usually not easy for most users. Distributions other than Ubuntu may
also be having this issue, I have not checked, but some distributions
enable secure permissions by default (e.g., Fedora). One (or maybe the
only) reason for the default configuration being the way it is may be
that the EFI partition uses a FAT file system. However, enabling a
umask through /etc/fstab as in Fedora, e.g., umask=0077, should make
it much more secure.
Ubuntu 14.10 Utopic Unicorn (x86_64/amd64)
Expected default configuration:-
A critical system directory such as /boot/efi should be inaccessible to non-root users by default.
Actual default configuration:-
The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions