File GRUB_RESCUE_initrd.patch of Package rear
--- usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh.orig 2022-07-14 09:36:00.915410283 +0200
+++ usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh 2024-01-12 08:18:12.877116064 +0100
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should be allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null