#3122 Issue `closed`: ReaR creates world-readable initrd with GRUB_RESCUE=Y¶

Labels: fixed / solved / done, critical / security / legal

jsmeix opened issue at 2024-01-08 13:36:¶

The following issue was reported to us at SUSE by a SUSE customer
and the proposed fix is from a colleague at SUSE:

ReaR configuration files (excerpt):

OUTPUT=ISO
COPY_AS_IS+=( "/path/to/secrets/" )
GRUB_RESCUE=Y

Description of the issue:

'/path/to/secrets/' gets included in the ReaR recovery system
so it is in ReaR's initrd and in particular with GRUB_RESCUE=Y
the secrets in /path/to/secrets/ are accessible for every user
within ReaR's world-readable initrd that is located
in the world-readable '/boot/' directory.

Proposed fix:

In usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
add at the end chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" like

...
esac

# Only root should be allowed to access the initrd
# because the ReaR recovery system can contain secrets:
test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"

popd >/dev/null

jsmeix commented at 2024-01-12 07:05:¶

Fixed via https://github.com/rear/rear/pull/3123

jsmeix commented at 2024-01-15 10:43:¶

https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
"CVE-2024-23301: rear: GRUB_RESCUE=Y creates world-readable initrd"

[Export of Github issue for rear/rear.]

#3122 Issue closed: ReaR creates world-readable initrd with GRUB_RESCUE=Y¶

jsmeix opened issue at 2024-01-08 13:36:¶

jsmeix commented at 2024-01-12 07:05:¶

jsmeix commented at 2024-01-15 10:43:¶

#3122 Issue `closed`: ReaR creates world-readable initrd with GRUB_RESCUE=Y¶