grub-mkconfig: Restore umask for the grub.cfg

The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating configuration by grub-mkconfig) has inadvertently discarded umask for creating grub.cfg in the process of running grub-mkconfig. The resulting wrong permission (0644) would allow unprivileged users to read GRUB configuration file content. This presents a low confidentiality risk as grub.cfg may contain non-secured plain-text passwords. This patch restores the missing umask and sets the creation file mode to 0600 preventing unprivileged access. Fixes: CVE-2021-3981 Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-12-03 16:13:28 +08:00 · 2021-12-03 16:13:28 +08:00 · 0adec29674
commit 0adec29674
parent d0219bffc7
1 changed files with 3 additions and 0 deletions
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
    exit 1
  else
    # none of the children aborted with error, install the new grub.cfg
+    oldumask=$(umask)
+    umask 077
    cat ${grub_cfg}.new > ${grub_cfg}
+    umask $oldumask
    rm -f ${grub_cfg}.new
  fi
 fi