/etc/grub2/grubenv --> change the permissions to 600
by ratan61 from LinuxQuestions.org on (#6HZE9)
Hello All ,
The following is suggested by security team , they are suggesting to change the permissions of the following file : /etc/grub2/grubenv to 600 as not everyone can modify the parameters except root. After changing the permissions of this file,it is working. while I tried to perform the yum update and it is also successful. Now, while checking the transaction history , I see the following :
1 Creating group 'sgx' with GID 989.
2 Creating group 'systemd-oom' with GID 988.
3 /etc/gshadow: Group "sgx" already exists.
4 /usr/sbin/weak-modules: line 1086: cd: /lib/modules/5.14.0-284.18.1.el9_2.x86_64/weak-updates: No such file or directory
5 warning: file /lib/modules/5.14.0-284.18.1.el9_2.x86_64/modules.builtin.modinfo: remove failed: No such file or directory
6 warning: file /lib/modules/5.14.0-284.18.1.el9_2.x86_64/modules.builtin: remove failed: No such file or directory
7 grub2-editenv: error: invalid environment block.
8 grub2-editenv: error: invalid environment block.
9 grub2-editenv: error: invalid environment block.
10 grub2-editenv: error: invalid environment block.
11 grub2-editenv: error: invalid environment block.
12 grub2-editenv: error: invalid environment block.
13 grub2-editenv: error: invalid environment block.
14 grub2-editenv: error: invalid environment block.
15 grub2-editenv: error: invalid environment block.
16 grub2-editenv: error: invalid environment block.
17 grub2-editenv: error: invalid environment block.
I'm not able to figure out that changing the file permissions of grubenv is actually causing the issue?
Also , to rectify this , I have to move this and then regenerate the grub file once again. The existing grubenv file is moved to /tmp location and then again I regenerated grub file where it generated grubenv file and it is normal. Do you think, changing the permissions is actually causing an issue ?
Also after re-generating grub file, I changed back the permissions to 600 again to the grubenv file.
I see no issues now but I had no chances to even upgrade the server with latest patches since the server is already upgraded to the latest kernel. Please someone help on this one, how far changing permissions will cause issues like above. Also , serevr is able to boot without any issues when it comes to changing the permissions but ignoring errors is not also recommended.
The following is suggested by security team , they are suggesting to change the permissions of the following file : /etc/grub2/grubenv to 600 as not everyone can modify the parameters except root. After changing the permissions of this file,it is working. while I tried to perform the yum update and it is also successful. Now, while checking the transaction history , I see the following :
1 Creating group 'sgx' with GID 989.
2 Creating group 'systemd-oom' with GID 988.
3 /etc/gshadow: Group "sgx" already exists.
4 /usr/sbin/weak-modules: line 1086: cd: /lib/modules/5.14.0-284.18.1.el9_2.x86_64/weak-updates: No such file or directory
5 warning: file /lib/modules/5.14.0-284.18.1.el9_2.x86_64/modules.builtin.modinfo: remove failed: No such file or directory
6 warning: file /lib/modules/5.14.0-284.18.1.el9_2.x86_64/modules.builtin: remove failed: No such file or directory
7 grub2-editenv: error: invalid environment block.
8 grub2-editenv: error: invalid environment block.
9 grub2-editenv: error: invalid environment block.
10 grub2-editenv: error: invalid environment block.
11 grub2-editenv: error: invalid environment block.
12 grub2-editenv: error: invalid environment block.
13 grub2-editenv: error: invalid environment block.
14 grub2-editenv: error: invalid environment block.
15 grub2-editenv: error: invalid environment block.
16 grub2-editenv: error: invalid environment block.
17 grub2-editenv: error: invalid environment block.
I'm not able to figure out that changing the file permissions of grubenv is actually causing the issue?
Also , to rectify this , I have to move this and then regenerate the grub file once again. The existing grubenv file is moved to /tmp location and then again I regenerated grub file where it generated grubenv file and it is normal. Do you think, changing the permissions is actually causing an issue ?
Also after re-generating grub file, I changed back the permissions to 600 again to the grubenv file.
I see no issues now but I had no chances to even upgrade the server with latest patches since the server is already upgraded to the latest kernel. Please someone help on this one, how far changing permissions will cause issues like above. Also , serevr is able to boot without any issues when it comes to changing the permissions but ignoring errors is not also recommended.