Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. https://github.com/rear/rear/issues/3122 https://github.com/rear/rear/pull/3123
Created rear tracking bugs for this issue: Affects: fedora-all [bug 2258397]
Hello, should it be Severity: high? Note that GRUB_RESCUE=y is not the default, and even if one sets it, I believe that the default initrd created by ReaR does not contain secrets, as ReaR has SSH_FILES='avoid_sensitive_files' and SSH_UNPROTECTED_PRIVATE_KEYS='no' set by default. Regards, Pavel
N.B. to examine what files are in the initrd, you can run "rear -d mkrescue" and examine the rootfs directory under the ReaR's temporary directory ( /tmp/rear.* or /var/tmp/rear.* depending on version).
https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16 A moderate security concern has been identified in Relax-and-Recover (ReaR), particularly when the non-default configuration GRUB_RESCUE=y is used within Red Hat Enterprise Linux (RHEL). This setting results in the creation of a world-readable initrd, potentially providing local attackers an avenue to access system secrets usually restricted to root privileges. It's worth noting that the default initrd created by ReaR does not contain secrets.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1147 https://access.redhat.com/errata/RHSA-2024:1147
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1719 https://access.redhat.com/errata/RHSA-2024:1719