Information
The permissions on /boot/grub/grub.cfg are changed to 444 when grub.cfg is updated by the update-grub command
Rationale:
Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.
Solution
Run the following command to update chmod 444 to chmod 400 in /usr/sbin/grub-mkconfig:
# sed -ri 's/chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new/chmod 400 ${grub_cfg}.new/' /usr/sbin/grub-mkconfig
Run the following command to remove check on password not being set to before running chmod command:
# sed -ri 's/ && ! grep "\^password" \$\{grub_cfg\}.new >\/dev\/null//' /usr/sbin/grub-mkconfig
Default Value:
if [ 'x${grub_cfg}' != 'x' ] && ! grep '^password' ${grub_cfg}.new >/dev/null; then
chmod 444 ${grub_cfg}.new || true
fi