Hi Roger On 2019/07/03 12:10, Roger Shimizu wrote: > According to latest LUKS for rootfs guide [1], you can append > "UMASK=0077" to /etc/initramfs-tools/initramfs.conf > > [1] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Ah great, having a "/etc/initramfs-tools/conf.d/initramfs-permissions" that contains "UMASK=0077" and running "update-initramfs -u" does fix that for me locally, I think it should be reasonable to add that to the calamares-settings package for Debian. Does anyone know of a reason why this can't be universally a default in Debian? Is there a use case where a regular user needs read access to the initramfs? My Fedora friends say dracut has defaulted to the more secure permissions for the last 7 years and that it hasn't been an issue there yet. -Jonathan -- ⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) <jcc> ⣾⠁⢠⠒⠀⣿⡁ Debian Developer - https://wiki.debian.org/highvoltage ⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org ⠈⠳⣄⠀⠀⠀⠀ Be Bold. Be brave. Debian has got your back.
