I'm happy with GRUB's current practice on this, expressed in this code:
if test "x${grub_cfg}" != "x"; then
rm -f ${grub_cfg}.new
exec > ${grub_cfg}.new
# Allow this to fail, since /boot/grub/ might need to be fatfs to support some
# firmware implementations (e.g. OFW or EFI).
chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
This means that if the generated config contains a password it is readable by everyone"
fi
echo "Generating grub.cfg ..." >&2
[...]
if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
chmod 444 ${grub_cfg}.new || true
fi
In other words, if you use the password command then it's secret, otherwise it's world-readable. As to why we don't make it world-unreadable in general, nothing else in there is normally secret, so there's really no reason to do so - it would just annoy people. *Excessive* security tends to be a net loss. If you have special requirements then you can of course dpkg-divert /usr/sbin/update-grub and add a wrapper which sets the privileges you want.
I'm happy with GRUB's current practice on this, expressed in this code:
if test "x${grub_cfg}" != "x"; then
rm -f ${grub_cfg}.new
exec > ${grub_cfg}.new
# Allow this to fail, since /boot/grub/ might need to be fatfs to support some
# firmware implementations (e.g. OFW or EFI).
chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
This means that if the generated config contains a password it is readable by everyone"
fi
echo "Generating grub.cfg ..." >&2
[...]
if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
chmod 444 ${grub_cfg}.new || true
fi
In other words, if you use the password command then it's secret, otherwise it's world-readable. As to why we don't make it world-unreadable in general, nothing else in there is normally secret, so there's really no reason to do so - it would just annoy people. *Excessive* security tends to be a net loss. If you have special requirements then you can of course dpkg-divert /usr/sbin/ update- grub and add a wrapper which sets the privileges you want.