Re: chmod of generated grub.cfg

[Felix Zielcke]

Am Sonntag, den 06.09.2009, 17:09 +0200 schrieb Robert Millan:
> On Sun, Sep 06, 2009 at 04:58:40PM +0200, Felix Zielcke wrote:
> > 
> > Ok here's now a patch.
> > Robert do you think this can go into 1.97?
> 
> For 1.97 I'd be more comfortable with a simple s/444/400/.  An automated check
> smells like it could have corner cases.  In fact I found one:
> 
> > @@ -260,6 +260,11 @@ for i in ${grub_mkconfig_dir}/* ; do
> >    esac
> >  done
> >  
> > +if [ "x${grub_cfg}" != "x" ] && grep -q "^password " ${grub_cfg}.new ; then
> > +  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new 
> > readable by only root.\
> > +  This means your password is readable by everyone"
> > +fi
> 
> There's a short time window in which /boot/grub/grub.cfg.new exists, has been
> fully generated, and its mode is 444 rather than 400.  An attacker could poll
> this file and with some luck extract a password from it.
> 

Oh right. So how about this?

-- 
Felix Zielcke
Proud Debian Maintainer

2009-09-06  Felix Zielcke  <fziel...@z-51.de>

        * util/grub-mkconfig.in: Make the temporary created config mode
        400 and print a warning if it fails.  Change mode to 444 if it
        does not contain a plaintext password.

Index: util/grub-mkconfig.in
===================================================================
--- util/grub-mkconfig.in       (revision 2574)
+++ util/grub-mkconfig.in       (working copy)
@@ -232,7 +232,8 @@ if test "x${grub_cfg}" != "x"; then
 
   # Allow this to fail, since /boot/grub/ might need to be fatfs to support 
some
   # firmware implementations (e.g. OFW or EFI).
-  chmod 444 ${grub_cfg}.new || true
+  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new 
readable by only root.\
+  This means that if the generated config contains a password it is readable 
by everyone"
 fi
 echo "Generating grub.cfg ..." >&2
 
@@ -260,6 +261,10 @@ for i in ${grub_mkconfig_dir}/* ; do
   esac
 done
 
+if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
+  chmod 444 ${grub_cfg}.new || true
+fi
+
 if test "x${grub_cfg}" != "x" ; then
   # none of the children aborted with error, install the new grub.cfg
   mv -f ${grub_cfg}.new ${grub_cfg}

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/grub-devel