You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
'/path/to/secrets/' gets included in the ReaR recovery system
so it is in ReaR's initrd and in particular with GRUB_RESCUE=Y
the secrets in /path/to/secrets/ are accessible for every user
within ReaR's world-readable initrd that is located
in the world-readable '/boot/' directory.
Proposed fix:
In usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
add at the end chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" like
...
esac
# Only root should be allowed to access the initrd
# because the ReaR recovery system can contain secrets:
test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
popd >/dev/null
The text was updated successfully, but these errors were encountered:
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only root access the initrd because
the ReaR recovery system can contain secrets
see #3122
jsmeix
changed the title
ReaR creates world-readable initrd: Security issue with GRUB_RESCUE=Y
ReaR creates world-readable initrd with GRUB_RESCUE=Y
Jan 10, 2024
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see #3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
The following issue was reported to us at SUSE by a SUSE customer
and the proposed fix is from a colleague at SUSE:
'/path/to/secrets/' gets included in the ReaR recovery system
so it is in ReaR's initrd and in particular with GRUB_RESCUE=Y
the secrets in /path/to/secrets/ are accessible for every user
within ReaR's world-readable initrd that is located
in the world-readable '/boot/' directory.
In usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
add at the end
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
likeThe text was updated successfully, but these errors were encountered: