grub-mkconfig.in: turn off executable owner bit

Resolves: RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>

0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Mon, 1 Jul 2024 12:52:13 -0600
+Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
+
+Stricker permissions are required on the grub.cfg file, resulting in
+at most 0600 owner's file permissions. This resolves conflicting
+requirement permissions on grub2-pc package's grub2.cfg file.
+
+Resolves: RHEL-45870
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ util/grub-mkconfig.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 34f7c13fc..f47b2735d 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -320,7 +320,7 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    oldumask=$(umask); umask 077
++    oldumask=$(umask); umask 177
+     cat ${grub_cfg}.new > ${grub_cfg}
+     umask $oldumask
+     rm -f ${grub_cfg}.new

grub.macros

@@ -598,7 +598,7 @@ ln -s ../boot/%{name}/grub.cfg					\\\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %ifarch ppc64le						\
@@ -633,8 +633,8 @@ ln -s ../boot/%{name}/grub.cfg					\\\
 %endif								\
 %attr(0700,root,root)/boot/%{name}/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
-%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv	\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %{expand:%if 0%{?without_efi_modules}				\

grub.patches

@@ -343,3 +343,4 @@ Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
 Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
 Patch0344: 0344-grub-install-on-EFI-if-forced.patch
 Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
+Patch0346: 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch

grub2.spec

@@ -16,7 +16,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	82%{?dist}
+Release:	83%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -537,6 +537,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Mon Jul 1 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-83
+- grub-mkconfig.in: turn off executable owner bit
+- Resolves: RHEL-45870
+
 * Thu Jun 27 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-82
 - mkconfig/install: Remove BLS handling for XEN
 - Resolves: #RHEL-4386