grubconfig: set grub.cfg file mode to 0600

See #952

Author: HuijingHei

.github/workflows/ci.yml

@@ -85,6 +85,7 @@ jobs:
             shim="shimaa64.efi"
           fi
           sudo ls /mnt/EFI/centos/{grub.cfg,${shim}}
+          [ $(stat -c "%a" /mnt/EFI/centos/grub.cfg) == "600" ]
           sudo umount /mnt
           sudo losetup -D "${device}"
           sudo rm -f myimage.raw
@@ -99,3 +100,4 @@ jobs:
             --disable-selinux --replace=alongside /target
           # Verify we injected static configs
           jq -re '.["static-configs"].version' /boot/bootupd-state.json
+          [ $(stat -c "%a" /boot/grub2/grub.cfg) == "600" ]

src/grubconfigs.rs

@@ -17,6 +17,9 @@ const DROPINDIR: &str = "configs.d";
 const GRUBENV: &str = "grubenv";
 pub(crate) const GRUBCONFIG: &str = "grub.cfg";
 pub(crate) const GRUBCONFIG_BACKUP: &str = "grub.cfg.backup";
+// File mode for grub config
+// https://github.com/coreos/bootupd/issues/952
+const GRUBCONFIG_FILE_MODE: u32 = 0o600;
 
 /// Install the static GRUB config files.
 #[context("Installing static GRUB configs")]
@@ -67,7 +70,7 @@ pub(crate) fn install(
 
     let grub2dir = bootdir.sub_dir(GRUB2DIR)?;
     grub2dir
-        .write_file_contents("grub.cfg", 0o644, config.as_bytes())
+        .write_file_contents("grub.cfg", GRUBCONFIG_FILE_MODE, config.as_bytes())
         .context("Copying grub-static.cfg")?;
     println!("Installed: grub.cfg");
 
@@ -103,6 +106,7 @@ pub(crate) fn install(
             efidir
                 .copy_file(&Path::new(CONFIGDIR).join("grub-static-efi.cfg"), target)
                 .context("Copying static EFI")?;
+            efidir.set_mode(target, GRUBCONFIG_FILE_MODE)?;
             println!("Installed: {target:?}");
             if let Some(uuid_path) = uuid_path {
                 let target = &vendor.join(uuid_path);