Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)

To: debian-devel@lists.debian.org
Cc: jcc@debian.org
Subject: Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
From: Josh Triplett <josh@joshtriplett.org>
Date: Wed, 3 Jul 2019 12:08:14 -0700
Message-id: <[🔎] 20190703190722.GA6539@localhost>
In-reply-to: <[🔎] a5e2719d-fcd1-4792-656e-3b9477499fae@debian.org>

Jonathan Carter wrote:
> Ah great, having a "/etc/initramfs-tools/conf.d/initramfs-permissions"
> that contains "UMASK=0077" and running "update-initramfs -u" does fix
> that for me locally, I think it should be reasonable to add that to the
> calamares-settings package for Debian.
>
> Does anyone know of a reason why this can't be universally a default in
> Debian? Is there a use case where a regular user needs read access to
> the initramfs?

Booting a virtual system, using the same kernel and initramfs as the
host.

It seems perfectly reasonable to make the initramfs use mode 0600 if and
only if it contains keys/passphrases, though.

Reply to:

References:
- Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
  - From: Jonathan Carter <jcc@debian.org>

Prev by Date: Re: dgit advocacy again (Re: Survey results: git packaging practices / repository format)
Next by Date: Re: dgit advocacy again (Re: Survey results: git packaging practices / repository format)
Previous by thread: Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Next by thread: Re: Seeking advice re: CVE-2019-13179 (insecure permissions for initramfs)
Index(es):
- Date
- Thread