Skip to content

grubconfig: set /boot/grub2/grub.cfg file mode to 0600 #961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 29, 2025
Merged

grubconfig: set /boot/grub2/grub.cfg file mode to 0600 #961

merged 2 commits into from
Jun 29, 2025

Conversation

@HuijingHei
Copy link
Member

@HuijingHei HuijingHei commented Jun 25, 2025
edited
Loading

Copy Colin's comment:

One overall issue on this is because we don't have a mechanism to
update the static configs, existing systems will stay as is.

See #952 &
https://redhat-internal.slack.com/archives/C01BSEK9PM1/p1750152540290679

cgwalters
cgwalters approved these changes Jun 25, 2025
View reviewed changes
Copy link
Member

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One overall issue on this is because we don't have a mechanism to update the static configs, existing systems will stay as is.

src/grubconfigs.rs Outdated
efidir
.copy_file(&Path::new(CONFIGDIR).join("grub-static-efi.cfg"), target)
.context("Copying static EFI")?;
efidir.set_mode(target, GRUBCONFIG_FILE_MODE)?;
Copy link
Member

@cgwalters cgwalters Jun 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side note: in the future we could use https://docs.rs/cap-std-ext/latest/cap_std_ext/dirext/trait.CapStdExtDirExt.html#tymethod.atomic_write_with_perms to do this in one step.

Copy link
Member Author

@HuijingHei HuijingHei Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the comment, I see your PR in #674 is using cap-std-ext, maybe we can continue that.

@HuijingHei HuijingHei force-pushed the fix-grub-permission branch from 8d0f0f3 to 30ce64c Compare June 25, 2025 13:29
@cgwalters
Copy link
Member

cgwalters commented Jun 27, 2025

Hm, not sure offhand why the test is failing. Possibly we're not running the updated code we think we are, or the code is wrong.

@HuijingHei
grubconfig: set /boot/grub2/grub.cfg file mode to 0600
532724d 
Copy Colin's comment:
```
One overall issue on this is because we don't have a mechanism to
update the static configs, existing systems will stay as is.
```

See coreos#952 &
https://redhat-internal.slack.com/archives/C01BSEK9PM1/p1750152540290679
@HuijingHei HuijingHei force-pushed the fix-grub-permission branch from 30ce64c to 304d7dc Compare June 29, 2025 08:17
@HuijingHei HuijingHei force-pushed the fix-grub-permission branch from 304d7dc to e944eef Compare June 29, 2025 08:18
@HuijingHei
Copy link
Member Author

HuijingHei commented Jun 29, 2025

Hm, not sure offhand why the test is failing. Possibly we're not running the updated code we think we are, or the code is wrong.

Thank you for the review!
The file grub.cfg under EFI, which is a FAT filesystem that does not support Unix permissions, so permissions like 0o600 have no effect. (see https://askubuntu.com/questions/96923/how-do-i-change-permissions-on-a-fat32-formatted-drive)

Look that the issue and find the requirement here is only related to /boot/grub2/grub.cfg, so just change it 0600.

@HuijingHei HuijingHei changed the title grubconfig: set grub.cfg file mode to 0600 grubconfig: set /boot/grub2/grub.cfg file mode to 0600 Jun 29, 2025
@cgwalters cgwalters merged commit b50ffc4 into coreos:main Jun 29, 2025
12 checks passed
@HuijingHei HuijingHei deleted the fix-grub-permission branch June 30, 2025 01:06
@travier travier mentioned this pull request Jun 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgwalters cgwalters cgwalters approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HuijingHei @cgwalters