|
 |
f6e916 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
f6e916 |
From: Michael Chang via Grub-devel <grub-devel@gnu.org>
|
|
|
f6e916 |
Date: Fri, 3 Dec 2021 16:13:28 +0800
|
|
|
f6e916 |
Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
|
|
|
f6e916 |
|
|
|
f6e916 |
Since commit:
|
|
|
f6e916 |
|
|
|
f6e916 |
ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
|
|
|
f6e916 |
by grub-mkconfig
|
|
|
f6e916 |
|
|
|
f6e916 |
has inadvertently discarded umask for creating grub.cfg in the process
|
|
|
f6e916 |
of grub-mkconfig. The resulting wrong permission (0644) would allow
|
|
|
f6e916 |
unprivileged users to read grub's configuration file content. This
|
|
|
f6e916 |
presents a low confidentiality risk as grub.cfg may contain non-secured
|
|
|
f6e916 |
plain-text passwords.
|
|
|
f6e916 |
|
|
|
f6e916 |
This patch restores the missing umask and set the file mode of creation
|
|
|
f6e916 |
to 0600 preventing unprivileged access.
|
|
|
f6e916 |
|
|
|
f6e916 |
Fixes: CVE-2021-3981
|
|
|
f6e916 |
|
|
|
f6e916 |
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
|
f6e916 |
(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
|
|
|
f6e916 |
(cherry picked from commit 583bc3a468c9782696b2703e1098590f6f820add)
|
|
|
f6e916 |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
f6e916 |
---
|
|
|
f6e916 |
util/grub-mkconfig.in | 2 ++
|
|
|
f6e916 |
1 file changed, 2 insertions(+)
|
|
|
f6e916 |
|
|
|
f6e916 |
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
|
f6e916 |
index 5e643e169..a1c00776d 100644
|
|
|
f6e916 |
--- a/util/grub-mkconfig.in
|
|
|
f6e916 |
+++ b/util/grub-mkconfig.in
|
|
|
f6e916 |
@@ -317,7 +317,9 @@ and /etc/grub.d/* files or please file a bug report with
|
|
|
f6e916 |
exit 1
|
|
|
f6e916 |
else
|
|
|
f6e916 |
# none of the children aborted with error, install the new grub.cfg
|
|
|
f6e916 |
+ oldumask=$(umask); umask 077
|
|
|
f6e916 |
cat ${grub_cfg}.new > ${grub_cfg}
|
|
|
f6e916 |
+ umask $oldumask
|
|
|
f6e916 |
rm -f ${grub_cfg}.new
|
|
|
f6e916 |
fi
|
|
|
f6e916 |
fi
|