Bug#283377: marked as done (Should not copy installer account to /target if network-console-config not installed)

To: Joey Hess <joeyh@debian.org>
Cc: Debian Install System Team <debian-boot@lists.debian.org>
Subject: Bug#283377: marked as done (Should not copy installer account to /target if network-console-config not installed)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 01 Dec 2004 11:48:41 -0800
Message-id: <[🔎] handler.283377.D283377.110192955529363.ackdone@bugs.debian.org>
In-reply-to: <20041201193407.GA2467@kitenet.net>
References: <20041201193407.GA2467@kitenet.net> <133ac4eb041128085224083035@mail.gmail.com>
Your message dated Wed, 1 Dec 2004 14:34:07 -0500
with message-id <20041201193407.GA2467@kitenet.net>
and subject line FWD: Fixed in NMU of network-console 0.0.9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Nov 2004 16:52:11 +0000
>From evilpig@gmail.com Sun Nov 28 08:52:11 2004
Return-path: <evilpig@gmail.com>
Received: from rproxy.gmail.com [64.233.170.206] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CYSHS-0000N3-00; Sun, 28 Nov 2004 08:52:10 -0800
Received: by rproxy.gmail.com with SMTP id q1so306508rnf
        for <submit@bugs.debian.org>; Sun, 28 Nov 2004 08:52:10 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=B9uhWzaCLdpGueRc11Fix3c0tN5BidUfp4FSQI0wmvK1dYfROKeL+1uYRGVY75EixzMLS/2pLS6rA04yUJq7DiJvI4FUSs05nKmf1katabQ2iU5WH3F1blqG5SxULX9gmVw0Fp7xE2dkecYxil82cNboudPh0XIOIly3CPFAdO0=
Received: by 10.38.171.16 with SMTP id t16mr1030385rne;
        Sun, 28 Nov 2004 08:52:09 -0800 (PST)
Received: by 10.38.89.53 with HTTP; Sun, 28 Nov 2004 08:52:09 -0800 (PST)
Message-ID: <133ac4eb041128085224083035@mail.gmail.com>
Date: Sun, 28 Nov 2004 10:52:09 -0600
From: Colleen Hatfield <evilpig@gmail.com>
Reply-To: Colleen Hatfield <evilpig@gmail.com>
To: submit@bugs.debian.org
Subject: RC2 install report on Dell SC420, security issue with network-console udeb "installer" user not being removed
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: installation-reports

INSTALL REPORT

Debian-installer-version: 
RC2 netinstall image for i386, downloaded from
http://cdimage.debian.org/pub/cdimage-testing/sarge_d-i/i386/rc2/sarge-i386-netinst.iso
on 20041126

uname -a:
Linux chloe 2.6.8-1-386 #1 Thu Nov 25 04:24:08 UTC 2004 i686 GNU/Linux

Date: 
20041126, ~23:00 UTC

Method:
Burnt the netinstall image to CD, using the "expert26" boot parameter.
 Apt sources were unstable over HTTP from mirrors.kernel.org and
ftp.debian.org (no proxy).

Machine: Dell PowerEdge SC420
Processor: 2.8GHz Pentium 4
Memory: 256MB DDR2-400 SDRAM
Root Device: 160GB SATA drive (/dev/sda2)
Root Size/partition table:  
sda1                  Primary   Dell Utility                        57.58 
sda2      Boot        Primary   Linux ext3       [/]             39983.09 
sda3                  Primary   Linux ext3                       39999.54 
sda5                  Logical   Linux swap / Solaris              1003.49 
Debian was installed to /dev/sda2; /dev/sda3 is currently formatted
but unmounted and unused.

Output of lspci and lspci -n:
Note: I took the Aureal Vortex sound card out of another machine; it
didn't come with the SC420 (but it does work nicely in Debian).
lspci:
------
0000:00:00.0 Host bridge: Intel Corp. Server Memory Controller Hub (rev 04)
0000:00:01.0 PCI bridge: Intel Corp. Server Memory Controller Hub PCI
Express Port (rev 04)
0000:00:02.0 VGA compatible controller: Intel Corp. Graphics Controller (rev 04)
0000:00:1c.0 PCI bridge: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) PCI Express Port 1 (rev 03)
0000:00:1c.1 PCI bridge: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) PCI Express Port 2 (rev 03)
0000:00:1d.0 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #1 (rev 03)
0000:00:1d.1 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #2 (rev 03)
0000:00:1d.2 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #3 (rev 03)
0000:00:1d.3 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #4 (rev 03)
0000:00:1d.7 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB2 EHCI Controller (rev 03)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev d3)
0000:00:1f.0 ISA bridge: Intel Corp. 82801FB/FR (ICH6/ICH6R) LPC
Interface Bridge (rev 03)
0000:00:1f.1 IDE interface: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) IDE Controller (rev 03)
0000:00:1f.2 IDE interface: Intel Corp. 82801FR/FRW (ICH6R/ICH6RW)
SATA Controller (rev 03)
0000:00:1f.3 SMBus: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6 Family)
SMBus Controller (rev 03)
0000:02:00.0 Ethernet controller: Broadcom Corporation NetXtreme
BCM5751 Gigabit Ethernet PCI Express (rev 01)
0000:04:02.0 Multimedia audio controller: Aureal Semiconductor Vortex 2 (rev fe)
lspci -n:
---------
0000:00:00.0 0600: 8086:2588 (rev 04)
0000:00:01.0 0604: 8086:2589 (rev 04)
0000:00:02.0 0300: 8086:258a (rev 04)
0000:00:1c.0 0604: 8086:2660 (rev 03)
0000:00:1c.1 0604: 8086:2662 (rev 03)
0000:00:1d.0 0c03: 8086:2658 (rev 03)
0000:00:1d.1 0c03: 8086:2659 (rev 03)
0000:00:1d.2 0c03: 8086:265a (rev 03)
0000:00:1d.3 0c03: 8086:265b (rev 03)
0000:00:1d.7 0c03: 8086:265c (rev 03)
0000:00:1e.0 0604: 8086:244e (rev d3)
0000:00:1f.0 0601: 8086:2640 (rev 03)
0000:00:1f.1 0101: 8086:266f (rev 03)
0000:00:1f.2 0101: 8086:2652 (rev 03)
0000:00:1f.3 0c05: 8086:266a (rev 03)
0000:02:00.0 0200: 14e4:1677 (rev 01)
0000:04:02.0 0401: 12eb:0002 (rev fe)

Base System Installation Checklist:
[O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it

Initial boot worked:    [O]
Configure network HW:   [O]
Config network:         [O]
Detect CD:              [O]
Load installer modules: [O]
Detect hard drives:     [O]
Partition hard drives:  [O]
Create file systems:    [O]
Mount partitions:       [O]
Install base system:    [O]
Install boot loader:    [O]
Reboot:                 [E]

Comments/Problems:

Error with reboot was http://bugs.debian.org/277298.  This problem is
fixed in the latest 2.6.8 kernel package in the unstable tree
(kernel-image-2.6.8-1-386_2.6.8-10_i386.deb).

A more bothersome (security-related) problem is that when the
network-console udeb is loaded and used to remotely access the install
process via SSH, the "installer" user isn't deleted from the system at
the end of the install process.

Here's what I did:
- Booted from the RC2 netinstall CD for i386 with the expert26 boot option
- Loaded the "network-console" udeb so that I would be able to SSH
into the installer
- When I was given the option to "Continue installation remotely using
SSH", I set a password for the installer user and then used it to SSH
in from another machine.

The screen where you set the "installer" user's password says, "This
password is used only by the Debian installer, and will be discarded
once you finish the installation."  However, this is not the case -
this user persists after completion of the install and rebooting, etc.
>From /etc/passwd:
installer:x:0:0:installer:/:/usr/sbin/base-config-network-console
>From /etc/shadow (password is 'password'):
installer:$1$.a.mY5c.$rUQXKaPfTgLhzLOTpY3sZ.:1:0:99999:7:::

Although this is mitigated by the fact that
/usr/sbin/base-config-network-console doesn't exist after the install,
an attacker that has gained root via privilege escalation or
exploiting a privileged daemon can just create a symlink from
/usr/sbin/base-config-network-console to /bin/bash.  The "installer"
user's password is most likely easier to crack than the root password,
since the administrator has been told that the installer user will not
persist.  Since the default configuration of the Debian ssh package
includes "PermitRootLogin yes", the attacker can crack the weaker
"installer" password, create the symlink, and thus gain remote root
access via SSH.  The administrator probably won't even realize that
this account exists, and this will also slip past file integrity
checkers watching /etc/passwd and /etc/shadow since modifying these
files is unnecessary if the "installer" password can be cracked.

Thanks,
- Colleen

---------------------------------------
Received: (at 283377-done) by bugs.debian.org; 1 Dec 2004 19:32:35 +0000
>From joey@kitenet.net Wed Dec 01 11:32:34 2004
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CZaDK-0007dP-00; Wed, 01 Dec 2004 11:32:34 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
	by kitenet.net (Postfix) with ESMTP id 513AE17FC1
	for <283377-done@bugs.debian.org>; Wed,  1 Dec 2004 19:32:34 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
	id 2F7236E26E; Wed,  1 Dec 2004 14:34:07 -0500 (EST)
Date: Wed, 1 Dec 2004 14:34:07 -0500
From: Joey Hess <joeyh@debian.org>
To: 283377-done@bugs.debian.org
Subject: FWD: Fixed in NMU of network-console 0.0.9
Message-ID: <20041201193407.GA2467@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 283377-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

NAN

---- Forwarded message from Joey Hess <joeyh@debian.org> -----

=46rom: Joey Hess <joeyh@debian.org>
Date: Wed, 01 Dec 2004 14:17:06 -0500
To: control@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>,
	Debian Install System Team <debian-boot@lists.debian.org>
Subject: Fixed in NMU of network-console 0.0.9

tag 283377 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload.  The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  1 Dec 2004 14:09:07 -0500
Source: network-console
Binary: network-console-config network-console
Architecture: source i386 all
Version: 0.0.9
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description:=20
 network-console - Provides a console via ssh (udeb)
 network-console-config - Debian base system configurator - network console
Closes: 283377
Changes:=20
 network-console (0.0.9) unstable; urgency=3Dlow
 .
   * Frans Pop
     - Only copy SSH keys and installer account if network-console-config
       is installed successfully. Closes: #283377.
     - Queue installation of network-console-config in postinst as for
       CD-based installations the CD will already be unmounted when the
       prebaseconfig script is run (tanks to Colin Watson for spotting this=
).
Files:=20
 f70a92abca1d99736f11ad806e6e9c7a 627 debian-installer optional network-con=
sole_0.0.9.dsc
 4a37804280b7e14f6573b63be26e7247 46697 debian-installer optional network-c=
onsole_0.0.9.tar.gz
 65a7e571c7f474d8e1eefe22de2d47e9 4196 admin optional network-console-confi=
g_0.0.9_all.deb
 58c5e9f9a757d02b2d0a23855ec5f2b4 37414 debian-installer optional network-c=
onsole_0.0.9_i386.udeb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBrhcY2tp5zXiKP0wRAguiAKDFb6aaMa2QgP9IyPIxanQwlLUxAgCdFuyB
zSqK1MydYOdLc2o23s6j/YQ=3D
=3Ddbst
-----END PGP SIGNATURE-----


--=20
To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.o=
rg


----- End forwarded message -----
--=20
see shy jo

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBrhyvd8HHehbQuO8RAmTYAJ0bhg83M9Rb/zVSmCF0h2HDZ/oinQCglQ2j
FR26/OgbJDDd5IM+iID4DUQ=
=VwIJ
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--
Reply to:
Prev by Date: Bug#261100: go back problem is just papered over, still exists
Next by Date: Bug#283793: debian-installer: quik is still installed and trying to do unwanted things on my harddisk which my break.
Previous by thread: Bug#261100: go back problem is just papered over, still exists
Next by thread: install: automatic network configuration: worked with linksys card but not CNet card
Index(es):
- Date
- Thread