grub-mkconfig.in: turn off executable owner bit

Resolves: #RHEL-58835 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-09-19 10:48:25 -06:00 · 2024-09-19 10:48:25 -06:00 · 6baa4881ea
commit 6baa4881ea
parent 3f9a8de27e
4 changed files with 49 additions and 3 deletions
--- a/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
+++ b/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
@ -0,0 +1,27 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leo Sandoval <lsandova@redhat.com>
 Date: Thu, 19 Sep 2024 10:15:13 -0600
 Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
 Stricker permissions are required on the grub.cfg file, resulting in
 at most 0600 owner's file permissions. This resolves conflicting
 requirement permissions on grub2-pc package's grub2.cfg file.
 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
 ---
 util/grub-mkconfig.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
 index a1c00776d..573004915 100644
 --- a/util/grub-mkconfig.in
 +++ b/util/grub-mkconfig.in
@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
     exit 1
   else
     # none of the children aborted with error, install the new grub.cfg
 -    oldumask=$(umask); umask 077
 +    oldumask=$(umask); umask 177
     cat ${grub_cfg}.new > ${grub_cfg}
     umask $oldumask
     rm -f ${grub_cfg}.new
--- a/grub.macros
+++ b/grub.macros
@ -589,14 +589,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
 install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 %{nil}
 %define define_legacy_variant_files()				\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ifarch ppc64le						\
 %dir %{_libdir}/grub/%{2}/					\
--- a/grub.patches
+++ b/grub.patches
@ -588,3 +588,4 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
 Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
 Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	157%{?dist}
+Release:	158%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@ -310,6 +310,19 @@ if [ "$1" = 2 ]; then
 	/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
 fi
 %posttrans common
 set -eu
 GRUB_HOME=/boot/%{name}
 if test  -f ${GRUB_HOME}/grub.cfg; then
    # make sure GRUB_HOME/grub.cfg has 600 permissions
    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
    if ! test "${GRUB_CFG_MODE}" = "600"; then
        chmod 0600 ${GRUB_HOME}/grub.cfg
    fi
 fi
 %triggerun -- grub2 < 1:1.99-4
 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
 # from the affected grub2 packages, we first back up the files in triggerun and
@ -510,6 +523,10 @@ fi
 %endif
 %changelog
 * Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
 - grub-mkconfig.in: turn off executable owner bit
 - Resolves: #RHEL-58835
 * Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
 - 20-grub-install: fix SELinux security type context for BLS
 - Resolves: #RHEL-4395