The permissions on /boot/grub/grub.cfg are changed to 444 when grub.cfg is updated by the update-grub command Rationale: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.