Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)

To: Jonathan Carter <jcc@debian.org>
Cc: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
From: Roger Shimizu <rosh@debian.org>
Date: Wed, 3 Jul 2019 19:10:26 +0900
Message-id: <[🔎] CAEQ9gEk-3UhaqTBSi2+qONKYV4i+6pgsvQZ2VHfCo_ymF8GeHA@mail.gmail.com>
In-reply-to: <[🔎] 2512d87a-f733-1138-db59-ae96779cff67@debian.org>
References: <[🔎] 2512d87a-f733-1138-db59-ae96779cff67@debian.org>

On Wed, Jul 3, 2019 at 6:07 PM Jonathan Carter <jcc@debian.org> wrote:
>
> Hi
>
> I need some help regarding a security issue that surfaced yesterday that
> affects buster.
>
> Using the Calamares installer and full-disk encryption, sensitive
> information is stored in the initramfs, which is world readable:
>
> https://github.com/calamares/calamares/issues/1191
>
> I just took a quick glance through the update-initramfs man pages and
> couldn't find anything specific for setting the initramfs permissions.

According to latest LUKS for rootfs guide [1], you can append
"UMASK=0077" to /etc/initramfs-tools/initramfs.conf

[1] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1

Reply to:

Follow-Ups:
- Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
  - From: Jonathan Carter <jcc@debian.org>

References:
- Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
  - From: Jonathan Carter <jcc@debian.org>

Prev by Date: Re: Survey results: git packaging practices / repository format
Next by Date: Re: Survey results: git packaging practices / repository format [and 1 more messages]
Previous by thread: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Next by thread: Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Index(es):
- Date
- Thread