2021-06-28 11:51:17 |
Alexander Scheel |
description |
CIS guidance for all distributions suggest securing grub bootloader configuration for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest 400 for all systems, especially in light that we suggest bootloader passwords for level 2 compliance.
For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing.
I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own. |
CIS guidance for all distributions suggest securing grub bootloader configuration file permissions for two purposes:
1. In general, arbitrary users shouldn't have access to read grub configuration in general,
2. In specific, when a grub bootloader password is configured, we'd still prefer a principle of least-privilege, and prevent most users from having easy, ready access to the hashed password.
We suggest octal 0400 permissions for all systems, especially because we suggest bootloader passwords for level 2 compliance.
For some information, see for instance: https://workbench.cisecurity.org/sections/784579/recommendations/1284256
(CIS benchmark section 1.4.1; available for free though does require a free login).
There's two approaches I could see taken here:
1. Follow CIS by default and chmod to 400 after file creation,
2. Don't delete and recreate the file; instead, simply modify (truncate+write) to the correct contents.
The latter would make grub2-mkconfig aganostic of the actual CIS guidance, which perhaps might be a good thing.
Note that this is a bug in grub2-mkconfig as it explicitly sets a umask and chmod's conditionally based on password applicability (though, to a level not otherwise suitable for our purposes).
---
I am told the issue of overwriting permissions doesn't affect Fedora distributions and mostly impacts Ubuntu ones. This makes me suspect we either have an older version of grub2-mkconfig or some patches of our own. |
|