Skip to content

Restrict Permissions of grub/menu.lst#113

Merged
chewi merged 1 commit intoflatcar:flatcar-masterfrom
justdan96:patch-1
Jun 12, 2025
Merged

Restrict Permissions of grub/menu.lst#113
chewi merged 1 commit intoflatcar:flatcar-masterfrom
justdan96:patch-1

Conversation

@justdan96
Copy link
Copy Markdown
Contributor

@justdan96 justdan96 commented Jan 16, 2024
edited by tormath1
Loading

This is described in the following issue:
flatcar/Flatcar#296

Setting the Options=umask parameter as that behaviour is well documented by systemd: https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html#Options.

Restrict Permissions of grub/menu.lst

Previously the permissions of grub/menu.lst were 0755, this PR corrects those permissions which helps with CIS compliance.

How to use

Test new unit file works with Flatcar installation.

Testing done

None yet.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

Closes: flatcar/Flatcar#296

@justdan96
Restrict Permissions of grub/menu.lst
f18612f 
This is described in the following issue:
flatcar/Flatcar#296

Setting the `Options=umask` parameter as that behaviour is well documented by systemd: https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html#Options.
@github-actions github-actions bot mentioned this pull request Jan 22, 2024
Closed
@justdan96 justdan96 marked this pull request as ready for review January 26, 2024 16:04
@tormath1 tormath1 requested a review from a team June 6, 2025 09:39
@chewi
Copy link
Copy Markdown
Contributor

chewi commented Jun 6, 2025

I've sort of tested this by copying and adding the change to /run/systemd/system/boot.mount. /boot is an autofs, so you can see the result if you don't access it before that. I'll run this through CI though.

@chewi
Copy link
Copy Markdown
Contributor

chewi commented Jun 6, 2025

The cl.verity Kola test failed in a relevant way. It's probably a test-specific failure though.

@chewi chewi mentioned this pull request Jun 9, 2025
Merged
@chewi
Copy link
Copy Markdown
Contributor

chewi commented Jun 12, 2025

CI has passed with the Kola fix. Just need to get that merged first.

@chewi chewi self-assigned this Jun 12, 2025
@chewi chewi merged commit 36e0bef into flatcar:flatcar-master Jun 12, 2025
@tormath1
Copy link
Copy Markdown
Contributor

tormath1 commented Jun 12, 2025

Thanks @justdan96 for the proposed fix, and sorry for the delay here - this has been somehow missed. 🙏

@github-actions github-actions bot mentioned this pull request Jun 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jepio jepio jepio approved these changes

Assignees

@chewi chewi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Permission of grub/menu.lst is not persistent

4 participants

@justdan96 @chewi @tormath1 @jepio