From 694ab652e3443719e3876e3d183e59b2f9e055fd Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Mon, 1 Jul 2024 15:42:49 -0600 Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit Resolves: RHEL-45870 Signed-off-by: Leo Sandoval --- ...fig.in-turn-off-executable-owner-bit.patch | 29 +++++++++++++++++++ grub.macros | 6 ++-- grub.patches | 1 + grub2.spec | 6 +++- 4 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch diff --git a/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 0000000..e5f61db --- /dev/null +++ b/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Mon, 1 Jul 2024 12:52:13 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Resolves: RHEL-45870 + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 34f7c13fc..f47b2735d 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -320,7 +320,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new diff --git a/grub.macros b/grub.macros index aa6921c..16a9b5c 100755 --- a/grub.macros +++ b/grub.macros @@ -598,7 +598,7 @@ ln -s ../boot/%{name}/grub.cfg \\\ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %ifarch ppc64le \ @@ -633,8 +633,8 @@ ln -s ../boot/%{name}/grub.cfg \\\ %endif \ %attr(0700,root,root)/boot/%{name}/fonts \ %dir %attr(0700,root,root)/boot/loader/entries \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ -%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg \ %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %{expand:%if 0%{?without_efi_modules} \ diff --git a/grub.patches b/grub.patches index ba10b27..c13cef0 100644 --- a/grub.patches +++ b/grub.patches @@ -343,3 +343,4 @@ Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch Patch0344: 0344-grub-install-on-EFI-if-forced.patch Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch +Patch0346: 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch \ No newline at end of file diff --git a/grub2.spec b/grub2.spec index a879b71..e83028b 100644 --- a/grub2.spec +++ b/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 82%{?dist} +Release: 83%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -537,6 +537,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Mon Jul 1 2024 Leo Sandoval - 2.06-83 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: RHEL-45870 + * Thu Jun 27 2024 Nicolas Frayer - 2.06-82 - mkconfig/install: Remove BLS handling for XEN - Resolves: #RHEL-4386