[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
** Changed in: partman-efi (Debian) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Fix Released Status in “partman-efi” package in Debian: Fix Released Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
** Changed in: partman-efi (Debian) Status: Unknown = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Fix Released Status in “partman-efi” package in Debian: Fix Committed Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Confirmed Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
** Bug watch added: Debian Bug tracker #770033 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033 ** Also affects: partman-efi (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770033 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Confirmed Status in “partman-efi” package in Debian: Unknown Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
** Branch linked: lp:~ubuntu-branches/ubuntu/vivid/partman-efi/vivid- proposed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Confirmed Status in “partman-efi” package in Debian: Unknown Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
This bug was fixed in the package partman-efi - 25ubuntu7 --- partman-efi (25ubuntu7) vivid; urgency=medium * fstab.d/efi: force umask in mount options to ensure directory never ends up with incorrect permissions. (LP: #1390183) -- Marc Deslauriers marc.deslauri...@ubuntu.com Tue, 18 Nov 2014 08:39:09 -0500 ** Changed in: partman-efi (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Fix Released Status in “partman-efi” package in Debian: Unknown Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
mountall has been updated to version 2.54ubuntu0.14.10.1 through utopic- updates in Ubuntu 14.10 (Utopic Unicorn), and the EFI directory /boot/efi is now mounted with proper permissions even if the mount options field is set to defaults in /etc/fstab. Thank you for fixing the bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Fix Released Status in “partman-efi” package in Debian: Unknown Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390183] Re: EFI directory is insecure by default
Thanks for reporting it! :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mountall in Ubuntu. https://bugs.launchpad.net/bugs/1390183 Title: EFI directory is insecure by default Status in “mountall” package in Ubuntu: Fix Released Status in “partman-efi” package in Ubuntu: Fix Released Status in “partman-efi” package in Debian: Unknown Bug description: The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure. Ubuntu 14.10 Utopic Unicorn (x86_64/amd64) Expected default configuration:- A critical system directory such as /boot/efi should be inaccessible to non-root users by default. Actual default configuration:- The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1390183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
