You are not logged in.
- Topics: Active | Unanswered
#1 2019-02-01 14:24:53
- berilac
- Member
- Registered: 2016-12-24
- Posts: 11
LVM on LUKS : Edit initramfs permissions after update
I noticed here (https://wiki.archlinux.org/index.php/Dm … _initramfs) that I should update initramfs permissions when installing a new kernel.
Warning: When initramfs' permissions are set to 644 (by default), then all users will be able to dump the keyfile. Make sure the permissions are still 600 if you install a new kernel.
I assume this applies to whenever `mkinitcpio -p ...` is run as well.
Have been trying to figure out the best way to approach this for automation.
Initially I thought I could do it as a pacman hook, but I'm thinking it would be better if it could be run simply after mkinitcpio generates new images.
Any thoughts on how I might achieve this?
From my research so far, nothing is popping out at me as an obvious solution - the mkinitcpio hooks seem unsuitable.
Offline
#2 2019-02-03 17:59:15
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: LVM on LUKS : Edit initramfs permissions after update
mkinitcpio -p will use redirection to create the file in /boot, and therefore permissions will not be modified. Once you've set the permissions once, they will stay that way.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#3 2019-11-18 05:30:39
- doskoi
- Member
- Registered: 2016-04-10
- Posts: 21
Re: LVM on LUKS : Edit initramfs permissions after update
It's not true anymore with the new mkinitcpio hooks. /usr/share/libalpm/hooks/60-mkinitcpio-remove.hook will delete the initramfs with each kernel update, and /usr/share/libalpm/hooks/90-mkinitcpio-install.hook will recreate it with mode 644.
Offline
#4 2021-05-07 13:37:48
- daniel_shub
- Member
- Registered: 2012-06-21
- Posts: 82
Re: LVM on LUKS : Edit initramfs permissions after update
Apologies for bumping an old post. Do the 60-mkinitcpio-remove.hook and 90-mkinitcpio-install.hook preserve the permissions of the initramfs? It does not look like it, but maybe something happens in the preset. If the permissions are not saved, what is the best way to keep the permissions of the initramfs as 600.
Offline
#5 2021-07-30 21:32:51
- morkin1792
- Member
- Registered: 2021-07-27
- Posts: 2
Re: LVM on LUKS : Edit initramfs permissions after update
The best solution that I found was create the file /etc/pacman.d/hooks/91-initramfs.hook with the following content:
[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*
[Action]
Description = Changing initramfs files permissions...
When = PostTransaction
Exec = /bin/bash -c 'chmod 600 /boot/initramfs*'Last edited by morkin1792 (2021-07-30 21:43:41)
Offline