Re: chmod of generated grub.cfg

[Vladimir 'phcoder' Serbinenko]

On Sun, Sep 6, 2009 at 3:38 PM, Colin Watson<address@hidden> wrote:
> On Sun, Sep 06, 2009 at 02:29:03PM +0200, Felix Zielcke wrote:
>> Currently grub-mkconfig uses chmod 444 on the newly generated grub.cfg
>> Wouldn't it be better to use 400 now that we have plaintext password
>> support?
>> Or should we add support for a GRUB_CHMOD variable so users can override
>> this setting as they please?
>
> I'd prefer to see this done only if they set a password. A GRUB_CHMOD
> variable seems overkill, though.
Is there a reason a non-root would like to look at grub.cfg on
production system? Developers can always override chmod. If there is
no real reason for non-root to look into grub.cfg I would follow the
best friend in security considerations called "paranoia" and just use
mode 400
>
>> Else I'd need to add a /etc/grub.d/999_chmod file in grub-installer
>> which changes the mode of grub.cfg.new if the user wants to have a
>> password.
>
> I think it'd be more sensible to do this in grub-mkconfig itself - it
> doesn't really fit well into the /etc/grub.d/ hook system, which is
> really just for generating output.

>
> --
> Colin Watson                                       address@hidden
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>



-- 
Regards
Vladimir 'phcoder' Serbinenko

Personal git repository: http://repo.or.cz/w/grub2/phcoder.git