Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)

[Sam Hartman <hartmans@debian.org>]

As a matter of policy Debian tends to install things like binaries as
world readable.  In general I don't think we should be copying sensitive
information to the initramfs without careful consideration.  The
rationale is that on systems with full disk encryption the initramfs
probably isn't encrypted and thus is at a lower level of security than
the root filesystem.

I personally think sticking your full disk encryption keys onto the
initramfs doesn't have a lot of value.  But sure, OK, there are some
cases where you want that.
And in those cases I think that as part of doing the careful
consideration to decide to put sensitive material onto the initramfs you
should set the permissions.

So, yes setting this in the package in question seems reasonable.

However, there's kind of a bigger problem.
What if the initramfs is being stored on a uefi partition or similar
where you cannot actually set permissions?

--Sam