Your message dated Sat, 11 Aug 2018 20:49:03 +0100 with message-id <d7aa562f7c1667fd76093aaf9211ffa933abb0b1.camel@decadent.org.uk> and subject line Re: Bug#905920: (no subject) has caused the Debian Bug report #905920, regarding (no subject) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 905920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905920 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- From: Nazar Mokrynskyi <nazar@mokrynskyi.com>
- Date: Sat, 11 Aug 2018 21:07:34 +0300
- Message-id: <[🔎] 153401085463.18615.9800552550556510663.reportbug@localhost.localdomain>
Package: initramfs-tools Version: 0.131ubuntu8 Severity: normal Tags: security I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to avoid typing password for the second time after GRUB2 added `keyscript` option to `/etc/crypttab`. Keyscript file is only readable by root, however, resulting `initrd.img*` file is readable by anyone, which I think is a security issue. I'd like to see `initrd.img*` files to also be readable by root user only. -- Package-specific info: -- initramfs sizes -rw-r--r-- 1 root root 53M Aug 11 19:50 /boot/initrd.img-4.17.0-5-generic -rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-6-generic -rw-r--r-- 1 root root 53M Aug 11 19:49 /boot/initrd.img-4.17.0-7-generic -- /proc/cmdline BOOT_IMAGE=/root/boot/vmlinuz-4.17.0-5-generic root=UUID=5170aca4-061a-4c6c-ab00-bd7fc8ae6030 ro rootflags=subvol=root nosplash intel_pstate=disable scsi_mod.use_blk_mq=1 intel_iommu=on i915.fastboot=1 -- /etc/crypttab # <target name> <source device> <key file> <options> system UUID=739967f1-9770-470a-a031-8d8b8bcdb350 none luks,discard,keyscript=/etc/cryptroot/system.64.sh -- System Information: Debian Release: buster/sid APT prefers cosmic-proposed APT policy: (500, 'cosmic-proposed'), (500, 'cosmic') Architecture: amd64 (x86_64)
--- End Message ---
--- Begin Message ---
- To: 905920-done@bugs.debian.org
- Subject: Re: Bug#905920: (no subject)
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Sat, 11 Aug 2018 20:49:03 +0100
- Message-id: <d7aa562f7c1667fd76093aaf9211ffa933abb0b1.camel@decadent.org.uk>
- In-reply-to: <[🔎] 153401085463.18615.9800552550556510663.reportbug@localhost.localdomain>
- References: <[🔎] 153401085463.18615.9800552550556510663.reportbug@localhost.localdomain>
On Sat, 2018-08-11 at 21:07 +0300, Nazar Mokrynskyi wrote: > Package: initramfs-tools > Version: 0.131ubuntu8 > Severity: normal > Tags: security > > I have fully encrypted (UEFI, LUKS, BTRFS) system and in order to > avoid typing password for the second time after GRUB2 added > `keyscript` option to `/etc/crypttab`. > Keyscript file is only readable by root, however, resulting > `initrd.img*` file is readable by anyone, which I think is a security > issue. > I'd like to see `initrd.img*` files to also be readable by root user > only. Set the UMASK paramter, documented in initramfs.conf(5). Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once.Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---