From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Fri, 12 Jan 2024 08:04:40 +0100 Subject: [PATCH] Make initrd accessible only by root (#3123) In pack/GNU/Linux/900_create_initramfs.sh call chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" to let only 'root' access the ReaR initrd because the ReaR recovery system in the initrd can contain secrets (not by default but when certain things are explicitly configured by the user like SSH keys without passphrase) see https://github.com/rear/rear/issues/3122 and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728 --- usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh index 1e0c11039..12be718ed 100644 --- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh +++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh @@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in fi ;; esac + +# Only root should be allowed to access the initrd +# because the ReaR recovery system can contain secrets +# cf. https://github.com/rear/rear/issues/3122 +test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME" + popd >/dev/null