Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Hi Roger
On 2019/07/03 12:10, Roger Shimizu wrote:
> According to latest LUKS for rootfs guide [1], you can append
> "UMASK=0077" to /etc/initramfs-tools/initramfs.conf
>
> [1] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Ah great, having a "/etc/initramfs-tools/conf.d/initramfs-permissions"
that contains "UMASK=0077" and running "update-initramfs -u" does fix
that for me locally, I think it should be reasonable to add that to the
calamares-settings package for Debian.
Does anyone know of a reason why this can't be universally a default in
Debian? Is there a use case where a regular user needs read access to
the initramfs? My Fedora friends say dracut has defaulted to the more
secure permissions for the last 7 years and that it hasn't been an issue
there yet.
-Jonathan
--
⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) <jcc>
⣾⠁⢠⠒⠀⣿⡁ Debian Developer - https://wiki.debian.org/highvoltage
⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org
⠈⠳⣄⠀⠀⠀⠀ Be Bold. Be brave. Debian has got your back.
Reply to: