grub-mkconfig.in: turn off executable owner bit

Resolves: #2281464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
This commit is contained in:
Leo Sandoval 2024-05-24 18:10:46 -06:00
parent 92efc5d3cd
commit a137559e71
4 changed files with 39 additions and 4 deletions

View file

@ -0,0 +1,30 @@
From 4062ab33c8cd86ac15cefe1b4f2f422b28467f54 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Fri, 24 May 2024 18:22:17 -0600
Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
Stricker permissions are required on the grub.cfg file, resulting in
at most 0600 owner's file permissions. This resolves conflicting
requirement permissions on grub2-pc package's grub2.cfg file.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
util/grub-mkconfig.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 520a672cd..fb382b648 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -311,7 +311,7 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
- oldumask=$(umask); umask 077
+ oldumask=$(umask); umask 177
cat ${grub_cfg}.new > ${grub_cfg}
umask $oldumask
rm -f ${grub_cfg}.new
--
2.44.0

View file

@ -683,7 +683,7 @@ ln -s ../boot/grub2/grub.cfg \\\
%{expand:%%files %{1}} \ %{expand:%%files %{1}} \
%defattr(-,root,root,-) \ %defattr(-,root,root,-) \
%config(noreplace) %{_sysconfdir}/grub2.cfg \ %config(noreplace) %{_sysconfdir}/grub2.cfg \
%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \ %ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \ %dir %attr(0700,root,root)/boot/loader/entries \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
%ifarch ppc64le \ %ifarch ppc64le \
@ -718,8 +718,8 @@ ln -s ../boot/grub2/grub.cfg \\\
%endif \ %endif \
%attr(0700,root,root)/boot/grub2/fonts \ %attr(0700,root,root)/boot/grub2/fonts \
%dir %attr(0700,root,root)/boot/loader/entries \ %dir %attr(0700,root,root)/boot/loader/entries \
%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \ %ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg \
%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ %ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg \
%config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv \ %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
%{expand:%if 0%{?without_efi_modules} \ %{expand:%if 0%{?without_efi_modules} \

View file

@ -359,3 +359,4 @@ Patch0358: 0358-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
Patch0359: 0359-fs-ntfs-Make-code-more-readable.patch Patch0359: 0359-fs-ntfs-Make-code-more-readable.patch
Patch0360: 0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch Patch0360: 0360-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch
Patch0361: 0361-cmd-search-Rework-of-CVE-2023-4001-fix.patch Patch0361: 0361-cmd-search-Rework-of-CVE-2023-4001-fix.patch
Patch0362: 0362-grub-mkconfig.in-turn-off-executable-owner-bit.patch

View file

@ -17,7 +17,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 122%{?dist} Release: 123%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPL-3.0-or-later License: GPL-3.0-or-later
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -555,6 +555,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Tue May 28 2024 Leo Sandoval <lsandova@redhat.com> - 2.06.123
- grub-mkconfig.in: turn off executable owner bit
- Resolves: #2281464
* Thu May 23 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-122 * Thu May 23 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-122
- cmd/search: Rework of CVE-2023-4001 fix - cmd/search: Rework of CVE-2023-4001 fix
- Related: #2224951 - Related: #2224951