From edd781f55c02c30c583c46a3aea13c0a180a3d9a Mon Sep 17 00:00:00 2001
From: Donald Buczek <buczek@molgen.mpg.de>
Date: Fri, 14 Sep 2018 10:23:44 +0200
Subject: [PATCH] mxgrub: set umask to 022

I see to many

    buczek@sigusr2:~$ mxgrub
    /boot/grub/grub.cfg: Permission denied

or

    buczek@aros:~$ mxgrub --list
    cat: /boot/grub/i386-pc/acpi.mod: Permission denied
    cat: /boot/grub/i386-pc/adler32.mod: Permission denied
    cat: /boot/grub/i386-pc/affs.mod: Permission denied
    cat: /boot/grub/i386-pc/afs.mod: Permission denied
    [...]
    cat: /boot/grub/i386-pc/bufio.mod: Permission denied

    Note: GRUB version installed in /usr differs from GRUB version
    used to boot.

    Consider updating the boot-loader with:

    grub-install --boot-directory=/boot /dev/sda

lately. Set umask to get this into a more defined state. I don't see a
problem to make the files world readable. grub.cfg contains a hash for
the password needed to change the boot command line, but

1. so does this script
2. I don't think, the password can be recovered from the hash
3. if you have physical access to the system, you can boot what you want
anyway.
---
 mxgrub/mxgrub | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mxgrub/mxgrub b/mxgrub/mxgrub
index c41660a..010de68 100755
--- a/mxgrub/mxgrub
+++ b/mxgrub/mxgrub
@@ -352,6 +352,7 @@ sub cmd_initramfs {
 	sys('bash','-c','cd /project/admin/initramfs;find .|cpio -H newc -o | gzip > /boot/grub/initramfs.igz');
 }
 
+umask 022;
 check_grub_installation();
 check_grub_menu_and_boot_dir();