Control: retitle -1 Configuration files can't override UMASK value set by packages Control: tag -1 wontfix On Mon, 29 Feb 2016 05:13:33 +0100 Piotr Jurkiewicz <piotr.jerzy.jurkiewicz@gmail.com> wrote: > > The UMASK variable is *documented* as affecting only the permissions > > for the initramfs image (which it doesn't seem to do reliably!) but it > > also affects the permissions for the files inside the initramfs. > > > > When dropbear is used in the initramfs, the host private key must be > > kept secret and so the initramfs image must not be world-readable. But > > most of the files installed in the initramfs can be world-readable. Is > > that what you want to change? > > No. I wasn't even aware that UMASK also affects the permission of files > inside initramfs (as this is undocumented, as you said). > > My setup is the following: Machine A with Debian boots from the network. > Its /boot directory resides on machine B, which is simply a PXE server > for machine A. /boot directory is mounted on machine A using sshfs. That > way, on each update of machine A, kernel image and initramfs file are > automatically transferred to machine B. > > The problem is that tftpd on machine B has compiled-in limitation which > allows only publicly readable files (o+r) to be served via TFTP. [...] That makes sense, because everyone on the network can read any file exposed over TFTP. You're asking us to help you maintain a security hole, and I refuse to do that. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert.
Attachment:
signature.asc
Description: This is a digitally signed message part