Ubuntu
linux package

efivars filesystem gives more access than the exists vars directory

Bug #1087546 reported by Stéphane Graber
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Medium
Unassigned

Bug Description

There are currently two ways of accessing EFI variables on Ubuntu:
 - The old way, through /sys/firmware/efi/vars
 - The new way, through /sys/firmware/efi/efivars

Both provide access to the exact same variables and are available at the same time.

One big difference however is that /sys/firmware/efi/vars/ is only root readable with all files being owned by root:root with the file permissions being 600.

With the introduction of efivars, anyone is now capable of reading any of the EFI variables.

I'm not sure if there's a potential security problem with letting any user reading EFI variables, but in any case, the lack of consistency is a bit disturbing, so I think it'd be best to have efivars match the permissions of the same entries as exposed by sysfs.

Brian Murray (brian-murray)
Changed in mountall (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote :

Having looked at this, it doesn't appear there's any way to control the permissions via mount options. So I think it would be better if the kernel driver would set sensible default permissions, instead of trying to hack around it in mountall; reassigning.

affects: mountall (Ubuntu) → linux (Ubuntu)
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

@Steve, I'll mark this as private security to have the security group review.

Changed in linux (Ubuntu):
importance: Medium → High
importance: High → Medium
information type: Public → Private Security
tags: added: kernel-da-key
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1087546

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.