EFI directory is insecure by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mountall (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
partman-efi (Debian) |
Fix Released
|
Unknown
|
|||
partman-efi (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure.
Ubuntu 14.10 Utopic Unicorn (x86_64/amd64)
Expected default configuration:-
A critical system directory such as /boot/efi should be inaccessible to non-root users by default.
Actual default configuration:-
The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx).
Related branches
CVE References
affects: | ubuntu → partman-efi (Ubuntu) |
information type: | Private Security → Public Security |
Changed in partman-efi (Debian): | |
status: | Unknown → Fix Committed |
Changed in partman-efi (Debian): | |
status: | Fix Committed → Fix Released |
Thank you for reporting this issue, I will be investigating it.