On Sun, Sep 6, 2009 at 3:38 PM, Colin Watson<cjwat...@ubuntu.com> wrote: > On Sun, Sep 06, 2009 at 02:29:03PM +0200, Felix Zielcke wrote: >> Currently grub-mkconfig uses chmod 444 on the newly generated grub.cfg >> Wouldn't it be better to use 400 now that we have plaintext password >> support? >> Or should we add support for a GRUB_CHMOD variable so users can override >> this setting as they please? > > I'd prefer to see this done only if they set a password. A GRUB_CHMOD > variable seems overkill, though. Is there a reason a non-root would like to look at grub.cfg on production system? Developers can always override chmod. If there is no real reason for non-root to look into grub.cfg I would follow the best friend in security considerations called "paranoia" and just use mode 400 > >> Else I'd need to add a /etc/grub.d/999_chmod file in grub-installer >> which changes the mode of grub.cfg.new if the user wants to have a >> password. > > I think it'd be more sensible to do this in grub-mkconfig itself - it > doesn't really fit well into the /etc/grub.d/ hook system, which is > really just for generating output.
> > -- > Colin Watson [cjwat...@ubuntu.com] > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > http://lists.gnu.org/mailman/listinfo/grub-devel > -- Regards Vladimir 'phcoder' Serbinenko Personal git repository: http://repo.or.cz/w/grub2/phcoder.git _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
