Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReaR creates world-readable initrd with GRUB_RESCUE=Y #3122

Closed
jsmeix opened this issue Jan 8, 2024 · 2 comments
Closed

ReaR creates world-readable initrd with GRUB_RESCUE=Y #3122

jsmeix opened this issue Jan 8, 2024 · 2 comments
Assignees
@jsmeix
Labels
critical / security / legal fixed / solved / done
Milestone
ReaR v2.8

Comments

@jsmeix
Copy link
Member

jsmeix commented Jan 8, 2024
edited

The following issue was reported to us at SUSE by a SUSE customer
and the proposed fix is from a colleague at SUSE:

  • ReaR configuration files (excerpt):
OUTPUT=ISO
COPY_AS_IS+=( "/path/to/secrets/" )
GRUB_RESCUE=Y
  • Description of the issue:

'/path/to/secrets/' gets included in the ReaR recovery system
so it is in ReaR's initrd and in particular with GRUB_RESCUE=Y
the secrets in /path/to/secrets/ are accessible for every user
within ReaR's world-readable initrd that is located
in the world-readable '/boot/' directory.

  • Proposed fix:

In usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
add at the end chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" like

...
esac

# Only root should be allowed to access the initrd
# because the ReaR recovery system can contain secrets:
test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"

popd >/dev/null
@jsmeix jsmeix added this to the ReaR v2.8 milestone Jan 8, 2024
@jsmeix jsmeix self-assigned this Jan 8, 2024
jsmeix added a commit that referenced this issue Jan 8, 2024
@jsmeix
Make initrd accessible only by root
7b0e8e2 
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only root access the initrd because
the ReaR recovery system can contain secrets
see #3122
@jsmeix jsmeix mentioned this issue Jan 8, 2024
Merged
@jsmeix jsmeix changed the title ReaR creates world-readable initrd: Security issue with GRUB_RESCUE=Y ReaR creates world-readable initrd with GRUB_RESCUE=Y Jan 10, 2024
jsmeix added a commit that referenced this issue Jan 12, 2024
@jsmeix
Make initrd accessible only by root (#3123)
89b6179 
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only 'root' access the ReaR initrd because
the ReaR recovery system in the initrd can contain secrets
(not by default but when certain things are explicitly
configured by the user like SSH keys without passphrase)
see #3122
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
@jsmeix
Copy link
Member Author

jsmeix commented Jan 12, 2024

Fixed via #3123

@jsmeix jsmeix closed this as completed Jan 12, 2024
@jsmeix
Copy link
Member Author

jsmeix commented Jan 15, 2024

https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
"CVE-2024-23301: rear: GRUB_RESCUE=Y creates world-readable initrd"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsmeix jsmeix

Labels
critical / security / legal fixed / solved / done
Projects
None yet
Milestone
ReaR v2.8
Development

No branches or pull requests
1 participant
@jsmeix