Bug#905920: (no subject)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#905920: (no subject)
From: Nazar Mokrynskyi <nazar@mokrynskyi.com>
Date: Sat, 11 Aug 2018 21:07:34 +0300
Message-id: <[🔎] 153401085463.18615.9800552550556510663.reportbug@localhost.localdomain>
Reply-to: Nazar Mokrynskyi <nazar@mokrynskyi.com>, 905920@bugs.debian.org

Package: initramfs-tools
Version: 0.131ubuntu8
Severity: normal
Tags: security

I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to avoid typing password for the second time after GRUB2 added `keyscript` option to `/etc/crypttab`.
Keyscript file is only readable by root, however, resulting `initrd.img*` file is readable by anyone, which I think is a security issue.
I'd like to see `initrd.img*` files to also be readable by root user only.

-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 53M Aug 11 19:50 /boot/initrd.img-4.17.0-5-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-6-generic
-rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-7-generic
-- /proc/cmdline
BOOT_IMAGE=/root/boot/vmlinuz-4.17.0-5-generic root=UUID=5170aca4-061a-4c6c-ab00-bd7fc8ae6030 ro rootflags=subvol=root nosplash intel_pstate=disable scsi_mod.use_blk_mq=1 intel_iommu=on i915.fastboot=1

-- /etc/crypttab
# <target name>	<source device>		<key file>	<options>
system UUID=739967f1-9770-470a-a031-8d8b8bcdb350 none luks,discard,keyscript=/etc/cryptroot/system.64.sh

-- System Information:
Debian Release: buster/sid
  APT prefers cosmic-proposed
  APT policy: (500, 'cosmic-proposed'), (500, 'cosmic')
Architecture: amd64 (x86_64)

Reply to:

Follow-Ups:
- Bug#905920: marked as done ((no subject))
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: reassign 905911 to conky
Next by Date: Bug#905920: marked as done ((no subject))
Previous by thread: Processed: reassign 905911 to conky
Next by thread: Bug#905920: marked as done ((no subject))
Index(es):
- Date
- Thread