c16371
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c16371
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
c16371
Date: Fri, 3 Dec 2021 16:13:28 +0800
c16371
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
c16371
c16371
Since commit:
c16371
c16371
  ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
c16371
by grub-mkconfig
c16371
c16371
has inadvertently discarded umask for creating grub.cfg in the process
c16371
of grub-mkconfig. The resulting wrong permission (0644) would allow
c16371
unprivileged users to read grub's configuration file content. This
c16371
presents a low confidentiality risk as grub.cfg may contain non-secured
c16371
plain-text passwords.
c16371
c16371
This patch restores the missing umask and set the file mode of creation
c16371
to 0600 preventing unprivileged access.
c16371
c16371
Fixes: CVE-2021-3981
c16371
c16371
Signed-off-by: Michael Chang <mchang@suse.com>
c16371
---
c16371
 util/grub-mkconfig.in | 2 ++
c16371
 1 file changed, 2 insertions(+)
c16371
c16371
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
b35c50
index f55339a3f6..520a672cd2 100644
c16371
--- a/util/grub-mkconfig.in
c16371
+++ b/util/grub-mkconfig.in
c16371
@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
c16371
     exit 1
c16371
   else
c16371
     # none of the children aborted with error, install the new grub.cfg
c16371
+    oldumask=$(umask); umask 077
c16371
     cat ${grub_cfg}.new > ${grub_cfg}
c16371
+    umask $oldumask
c16371
     rm -f ${grub_cfg}.new
c16371
   fi
c16371
 fi