2009-09-06  Felix Zielcke  <address@hidden>

	* util/grub-mkconfig.in: Make the temporary created config mode
	400 and print a warning if it fails.  Change mode to 444 if it
	does not contain a plaintext password.

Index: util/grub-mkconfig.in
===================================================================
--- util/grub-mkconfig.in	(revision 2574)
+++ util/grub-mkconfig.in	(working copy)
@@ -232,7 +232,8 @@ if test "x${grub_cfg}" != "x"; then
 
   # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
   # firmware implementations (e.g. OFW or EFI).
-  chmod 444 ${grub_cfg}.new || true
+  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
+  This means that if the generated config contains a password it is readable by everyone"
 fi
 echo "Generating grub.cfg ..." >&2
 
@@ -260,6 +261,10 @@ for i in ${grub_mkconfig_dir}/* ; do
   esac
 done
 
+if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
+  chmod 444 ${grub_cfg}.new || true
+fi
+
 if test "x${grub_cfg}" != "x" ; then
   # none of the children aborted with error, install the new grub.cfg
   mv -f ${grub_cfg}.new ${grub_cfg}