efivars filesystem gives more access than the exists vars directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Expired
|
Medium
|
Unassigned |
Bug Description
There are currently two ways of accessing EFI variables on Ubuntu:
- The old way, through /sys/firmware/
- The new way, through /sys/firmware/
Both provide access to the exact same variables and are available at the same time.
One big difference however is that /sys/firmware/
With the introduction of efivars, anyone is now capable of reading any of the EFI variables.
I'm not sure if there's a potential security problem with letting any user reading EFI variables, but in any case, the lack of consistency is a bit disturbing, so I think it'd be best to have efivars match the permissions of the same entries as exposed by sysfs.
Changed in mountall (Ubuntu): | |
importance: | Undecided → Medium |
information type: | Private Security → Public Security |
Having looked at this, it doesn't appear there's any way to control the permissions via mount options. So I think it would be better if the kernel driver would set sensible default permissions, instead of trying to hack around it in mountall; reassigning.