Ensure bootupd-generated GRUB configs have secure permissions and ownership

[jan-cerny]

Security compliance frameworks, such as CIS or PCI-DSS, mandate that /boot/grub2/grub.cfg and /boot/grub2/user.cfg must be owned by root:root with file permissions set to 0600 to prevent unauthorized modification.

Currently, bootupd appears to rely on system defaults (e.g., umask) when creating this file, which can result in insufficient permissions (like 0644). This causes failing rules when performing compliance scans of RHEL Image Mode systems.

We propose that bootupd be enhanced to enforce secure-by-default settings for the bootloader configurations it creates. Specifically, when bootupd generates /boot/grub2/grub.cfg and /boot/grub2/user.cfg , it should explicitly set the file owner to root (UID 0), set the file group to root (GID 0) and et the file permissions to 0600.

Alternatively, bootupd could provide a way how to configure the owner and permissions of the GRUB files at the bootable container image build time, ie. users would drop in a config file for bootupd in their Containerfiles.

[HuijingHei]

Thank you for reporting the issue.

bootupd generates /boot/grub2/grub.cfg and /boot/grub2/user.cfg , it should explicitly set the file owner to root (UID 0), set the file group to root (GID 0) and et the file permissions to 0600

bootupd owned /boot/grub2/grub.cfg and should change to 0600, and /boot/grub2/user.cfg is owned by butane, we should set the permission to 0600 when create user.cfg.

Alternatively, bootupd could provide a way how to configure the owner and permissions of the GRUB files at the bootable container image build time, ie. users would drop in a config file for bootupd in their Containerfiles.

I am not quite sure I understand this, do you mean that bootupd should change the owner and permissions of the GRUB files to 0600 if check that is not 0600?

[jan-cerny]

I am not quite sure I understand this, do you mean that bootupd should change the owner and permissions of the GRUB files to 0600 if check that is not 0600?

This is an alternative proposal to the proposal in previous paragraph. This alternative would make sense if you wouldn't agree with changing the default file permissions. Then, the configuration file would allow to specify the desired file permissions. I think that if bootupd changes the defaults to the proposed values we don't need to have this option.

[HuijingHei]

Understood, agree to set the file permissions to 0600.

[cgwalters]

Currently, bootupd appears to rely on system defaults (e.g., umask) when creating this file, which can result in insufficient permissions (like 0644).

This came up on internal chat originally but just to be clear, we are today doing setting the outer directory to mode 0700 which means users can't access it anyways. So this is effectively just a false positive from these scanning tools.

Specifically, when bootupd generates /boot/grub2/grub.cfg and /boot/grub2/user.cfg , it should explicitly set the file owner to root (UID 0), set the file group to root (GID 0) and et the file permissions to 0600.

But yes, sure.

[travier]

Fixed by #961 for new installations. This will not fix it for existing systems, but this is a false positive so users that want to silence that warning can do a one time chmod 600 ... on their systems to fix that.