grub config file should not be world readable

Thanks for reporting this bug.
I confirm in Ubuntu 8.04 and tiger 1:3.2.2
I agree that the file should be 0600, but 0660 is not a problem (as 0640) as long as the group owner is root.

At this moment, /boot/grub/menu.lst is 0644.

So, two actions, if people agree about it:
-> change the rights on Ubuntu grub file
-> change tiger detection an make it more accurate.

if the password is preseeded on install, the permissions are tightened to 0640.

Why not make it 0640 always?

This should have been assigned to grub instead of grub-installer. Since grub legacy is no longer being developed, but grub2 seems to have the same problem with grub.cfg, I'm reassigning it there.

I'm happy with GRUB's current practice on this, expressed in this code:

if test "x${grub_cfg}" != "x"; then
  rm -f ${grub_cfg}.new
  exec > ${grub_cfg}.new

  # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
  # firmware implementations (e.g. OFW or EFI).
  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
  This means that if the generated config contains a password it is readable by everyone"
fi
echo "Generating grub.cfg ..." >&2

[...]

if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
  chmod 444 ${grub_cfg}.new || true
fi

In other words, if you use the password command then it's secret, otherwise it's world-readable. As to why we don't make it world-unreadable in general, nothing else in there is normally secret, so there's really no reason to do so - it would just annoy people. *Excessive* security tends to be a net loss. If you have special requirements then you can of course dpkg-divert /usr/sbin/update-grub and add a wrapper which sets the privileges you want.

That seems reasonable. So basically, tiger should be fixed to use the same logic.

I think that would be a good idea, yes.

This bug was fixed in the package tiger - 1:3.2.4~rc1-1

---------------
tiger (1:3.2.4~rc1-1) unstable; urgency=low

  * debian/postrm: Remove depth in find when purging to avoid warnings
    (LP: #665453)
  * debian/source/format: Explicitly define the source format. Set as 1.0
    since the package will not use quilt as Savannah upstream is directly
    packaged into Debian
  * debian/rules: Fix FTCBFS: Let dh_auto_configure pass --host to ./configure.
    (Closes: #888041)
  * util/convert2html, util/genmsgidx: make the build reproducible with patch
    provided by Alexis Bienvenüe (Closes: #828226)
  * Include content from GIT upstream (3.2.4rc1 release):
     - systems/Linux/2/gen_mounts: Added fuse.clamfs and fuse.javafs
       filesystems (LP: #1204527, #1305057)
     - systems/Linux/2/check_release:
         + Update Debian version, current stable is 9.3 and list of old Debian
         versions
         + Add support to check for RHEL and Ubuntu releases. Now Ubuntu is no
         longer considered a Debian "unstable" version (LP: #248845)
     - scripts/check_accounts: Optimise as per suggestion by Arran Schlosberg
     - scripts/check_crontabs: Clean up gen_cron file content before it is used
       (Closes: #839635)
     - systems/Linux/2/check_lilo: Only complain if grub is world readable
        when it has a password configured (LP: #248843).
        Look for grub in the proper location (as used in Grub 2)
     - systems/Linux/2/check_release: Update Debian version, current stable is
       9.3 and list of old Debian versions. Add support to check for RHEL and
       Ubuntu releases. Ubuntu is no longer considered a Debian "unstable"
       version (LP: #248845)
     - systems/Linux/2/deb_checkmd5sums: Optimise by avoiding checking files in
       /usr/share/
     - tigerrc: Set +Tiger_Check_TRUSTED to 'N' (Closes: #722629)

 -- Javier Fernández-Sanguino Peña <email address hidden> Sat, 10 Feb 2018 22:57:09 +0100