Bug#381677: marked as done (initramfs-tools: Temporary files and initramfs world-readable)
Your message dated Wed, 27 Sep 2006 09:17:09 -0700
with message-id <E1GSc5t-0000F3-5u@spohr.debian.org>
and subject line Bug#381677: fixed in initramfs-tools 0.81
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: initramfs-tools: Temporary files and initramfs world-readable
- From: Lionel Elie Mamane <lionel@mamane.lu>
- Date: Sun, 6 Aug 2006 15:06:59 +0200
- Message-id: <20060806130659.GA6798@bagnat.mamane.lu>
Package: initramfs-tools
Version: 0.73b
Tags: patch
The generated initramfs is world-readable (as well as the temporary
files); this leaks cryptographic keys (in password-protected form) to
all users on the system when the root fs is encrypted (because these
keys then get copied to the initramfs, at least in the loop-aes
case). See bug #378488 for a discussion of this in the context of
loop-aes.
This patch fixes that. As making these files running user only
readable does not, as far as I can see, hurt even when not strictly
necessary, the patch just does it unconditionnaly.
Please apply (or comment). Thanks.
--
Lionel
diff -uN --recursive initramfs-tools-0.73b/mkinitramfs initramfs-tools-0.73b.lionel/mkinitramfs
--- initramfs-tools-0.73b/mkinitramfs 2006-07-29 13:05:20.000000000 +0200
+++ initramfs-tools-0.73b.lionel/mkinitramfs 2006-08-06 14:44:51.000000000 +0200
@@ -1,6 +1,6 @@
#!/bin/sh
-umask 0022
+umask 0077
# Defaults
keep="n"
--- End Message ---
--- Begin Message ---
Source: initramfs-tools
Source-Version: 0.81
We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive:
initramfs-tools_0.81.dsc
to pool/main/i/initramfs-tools/initramfs-tools_0.81.dsc
initramfs-tools_0.81.tar.gz
to pool/main/i/initramfs-tools/initramfs-tools_0.81.tar.gz
initramfs-tools_0.81_all.deb
to pool/main/i/initramfs-tools/initramfs-tools_0.81_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 381677@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
maximilian attems <maks@sternwelten.at> (supplier of updated initramfs-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Sep 2006 15:56:46 +0200
Source: initramfs-tools
Binary: initramfs-tools
Architecture: source all
Version: 0.81
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: maximilian attems <maks@sternwelten.at>
Description:
initramfs-tools - tools for generating an initramfs
Closes: 381677 387808 388241 389486 389726
Changes:
initramfs-tools (0.81) unstable; urgency=low
.
Release quick and happy spin j = l + s
.
* update-initramfs: Really check for mounted /proc on use. (closes: 388241)
Thanks Alex Owen <r.alex.owen@gmail.com>. While beeing in this business,
check for mounted proc in initramfs-tools.preinst too.
.
* hook-functions: Add new scsi drivers aic94xx and stex. Add new net drivers
ehea, ep93xx_eth and qla3xxx. Thus urgency high.
.
* update-initramfs: Use set ``--'' to change positional paramaters. Thanks
Jörg Sommer <joerg@alea.gnuu.de>. (closes: 389726)
.
* scripts/nfs: Revert to previous handling of dhcp server passing server-ip.
(closes: 387808)
.
* debian/initramfs-tools.preinst: Fix comment typo, thanks
shaulka@012.net.il for the patch. (closes: 389486)
.
* mkinitramfs: Allow an hook script to set an paranoid umask, considered
useful for shipping gpg keys inside of initramfs. Thanks Max Vozeler
<max@nusquama.org> and Lionel Elie Mamane <lionel@mamane.lu> for the
patch. (closes: 381677)
Files:
fab02ab520f22ee573a9f0339e1a0586 623 utils optional initramfs-tools_0.81.dsc
e0feba54cbe98240928c60b990188ac5 50679 utils optional initramfs-tools_0.81.tar.gz
e6cd8799e52553040b17de81775f01be 56602 utils optional initramfs-tools_0.81_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFGqBU6n7So0GVSSARAmjiAJ9cSbquTcGJwe3JOLtNFeF15NCNvwCglUQn
yPmykfQnyJdDPDvgrPOxyB0=
=GLJY
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: