From 3ea051e59e9c0cd79eac7f2e1563606e1e31a530 Mon Sep 17 00:00:00 2001 From: Michael Chang via Grub-devel Date: Fri, 3 Dec 2021 16:13:28 +0800 Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg Since commit: ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration by grub-mkconfig has inadvertently discarded umask for creating grub.cfg in the process of grub-mkconfig. The resulting wrong permission (0644) would allow unprivileged users to read grub's configuration file content. This presents a low confidentiality risk as grub.cfg may contain non-secured plain-text passwords. This patch restores the missing umask and set the file mode of creation to 0600 preventing unprivileged access. Fixes: CVE-2021-3981 Signed-off-by: Michael Chang --- util/grub-mkconfig.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index f55339a3f..520a672cd 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with exit 1 else # none of the children aborted with error, install the new grub.cfg + oldumask=$(umask); umask 077 cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask rm -f ${grub_cfg}.new fi fi -- 2.33.0