[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)

Hi Roger

On 2019/07/03 12:10, Roger Shimizu wrote:
> According to latest LUKS for rootfs guide [1], you can append
> "UMASK=0077" to /etc/initramfs-tools/initramfs.conf
> 
> [1] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

Ah great, having a "/etc/initramfs-tools/conf.d/initramfs-permissions"
that contains "UMASK=0077" and running "update-initramfs -u" does fix
that for me locally, I think it should be reasonable to add that to the
calamares-settings package for Debian.

Does anyone know of a reason why this can't be universally a default in
Debian? Is there a use case where a regular user needs read access to
the initramfs? My Fedora friends say dracut has defaulted to the more
secure permissions for the last 7 years and that it hasn't been an issue
there yet.

-Jonathan

-- 
  ⢀⣴⠾⠻⢶⣦⠀  Jonathan Carter (highvoltage) <jcc>
  ⣾⠁⢠⠒⠀⣿⡁  Debian Developer - https://wiki.debian.org/highvoltage
  ⢿⡄⠘⠷⠚⠋   https://debian.org | https://jonathancarter.org
  ⠈⠳⣄⠀⠀⠀⠀  Be Bold. Be brave. Debian has got your back.
Reply to: