Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Hi
I need some help regarding a security issue that surfaced yesterday that
affects buster.
Using the Calamares installer and full-disk encryption, sensitive
information is stored in the initramfs, which is world readable:
https://github.com/calamares/calamares/issues/1191
I just took a quick glance through the update-initramfs man pages and
couldn't find anything specific for setting the initramfs permissions.
Any advice on how to approach that? I'd usually do some diving and
figure it out but due to the time-sensitive nature I don't want to rush
something by myself. I'm wondering if it might be reasonable to make the
whole /boot only root-accessible, which *would* fix this problem but not
sure if it might cause additional problems for someone.
AFAIK this isn't currently relevant in d-i since grub2 doesn't supports
luks2 yet (which d-i now uses by default), but when grub2 does support
luks2 this will be equally as much as an issue for d-i images with full
disk encryption.
weasel has also pointed out to me that the open permissions may also be
a problem for dropbear users who's initramfs host private key can easily
be spoofed by anyone who can read the initramfs, so I do believe that
this is worth some attention right now.
-Jonathan
--
⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) <jcc>
⣾⠁⢠⠒⠀⣿⡁ Debian Developer - https://wiki.debian.org/highvoltage
⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org
⠈⠳⣄⠀⠀⠀⠀ Be Bold. Be brave. Debian has got your back.
Reply to: