From 7b0e8e2427cf6b10bffb410b66dd02272be3e386 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Mon, 8 Jan 2024 14:40:42 +0100
Subject: [PATCH 1/2] Make initrd accessible only by root

In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only root access the initrd because
the ReaR recovery system can contain secrets
see https://github.com/rear/rear/issues/3122
---
 usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039c..5d3f67a84b 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
         fi
         ;;
 esac
+
+# Only root should allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
 popd >/dev/null

From 1271257aedaa78e703c140a99f374fcecb48b4fd Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Mon, 8 Jan 2024 15:57:36 +0100
Subject: [PATCH 2/2] Update 900_create_initramfs.sh

Typo fix in comment:
"should allowed" -> "should be allowed"
---
 usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 5d3f67a84b..12be718ed8 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -126,7 +126,7 @@ case "$REAR_INITRD_COMPRESSION" in
         ;;
 esac
 
-# Only root should allowed to access the initrd
+# Only root should be allowed to access the initrd
 # because the ReaR recovery system can contain secrets
 # cf. https://github.com/rear/rear/issues/3122
 test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"