Bug#340981: debian-installer and world writable directories
Joey Hess wrote:
> Mikko Rapeli wrote:
Part b) could be fixed by using a stricter umask or plain cp instead of
'cp -a' in Sarge's 93save-install-log and Etch beta 1's 93save-debconf
( URL:
http://svn.debian.org/wsvn/d-i/trunk/packages/prebaseconfig/prebaseconfig.d/93save-debconf?op=file&rev=28098&sc=0).
It was fixed in prebaseconfig 1.10, the current code just does:
cp /var/lib/cdebconf/questions.dat /var/lib/cdebconf/templates.dat \
$logsavedir/cdebconf
So etch beta 1 is not affected.
Oh, true. (When I wrote that I thought mkdir with a bad umask was
involved in creating the directory. Silly me.)
The fact that a subdirectory within /var/log is world writable is a low
risk security issue, since system logs may be DoS'ed by any user filling
up the partition.
Surely any user could do the same with the logger command or a small
C program? There may be other theoretical exploit vectors beyond a DOS
though. debconf-get-selections --installer uses these files, for
example.
So obvious when you point it out, thanks.
If the security team wants to follow up on this for stable, it would be
easy to backport the fix. Releasing an advisory would require actually
putting the fixed package into stable (not security.d.o; d-i will not
find it there), as well as rebuilding all the CD images. Any advisory
about this should also include instructions for users who have already
installed (rm -rf /var/log/debian-installer would do, or a command to
fix up the permissions); the directory in the installed system is not
managed by a package in sarge, although we've fixed that since.
So all files after install belong to some package post Sarge? I was just
wondering about this by my self.
Anyway, cramfs seems to be unaffected by this:
~/src/debian-installer/sarge/installer/build/tmp/netboot_2.6/tree$
/usr/sbin/mkcramfs -z . /tmp/initrd
Directory data: 16416 bytes
Everything: 3648 kilobytes
Super block: 76 bytes
CRC: f994d8fc
warning: gids truncated to 8 bits (this may be a security concern)
~/src/debian-installer/sarge/installer/build/tmp/netboot_2.6/tree$ sudo
mount -o loop -t cramfs /tmp/initrd /mnt/foo
~/src/debian-installer/sarge/installer/build/tmp/netboot_2.6/tree$ ls
-ld /mnt/foo/var/lib/cdebconf
drwxr-xr-x 1 mikko 232 0 1970-01-01 02:00 /mnt/foo/var/lib/cdebconf
The default INITRD_FS is ext2, so unless I missed something all arches
except these use ext2:
debian-installer/sarge/installer/build/config$ grep -rn INITRD_FS * |
grep cramfs
ia64/cdrom/.svn/text-base/2.6.cfg.svn-base:5:INITRD_FS = cramfs
ia64/cdrom/2.6.cfg:5:INITRD_FS = cramfs
ia64/netboot/.svn/text-base/2.6.cfg.svn-base:4:INITRD_FS = cramfs
ia64/netboot/2.6.cfg:4:INITRD_FS = cramfs
mips.cfg:9:INITRD_FS = cramfs
powerpc.cfg:4:INITRD_FS = cramfs
sparc/cdrom/.svn/text-base/2.6.cfg.svn-base:6:INITRD_FS = cramfs
sparc/cdrom/2.6.cfg:6:INITRD_FS = cramfs
And if this does not warrant an advisory, perhaps it should be mentioned
in the Sarge installer errata
(http://www.debian.org/releases/stable/debian-installer/):
"Installer may leave /var/log/debian-installer/cdebconf directory
writable to all users. On debian-installer architectures which use an
ext2 formatted inital ramdisk created with genext2fs (alpha, amd64, arm,
hppa, i386, mipsel, mk68k and s390 and depending on install medium
and/or method also ia64 and sparc, mips and powerpc are unaffected) this
directory remains writable (drwxrwxrwx) by all users. This can be fixed
by changing the directory permissions as root after installation:
# chmod go-w /var/log/debian-installer/cdebconf"
Or something similar. Feel free to use/modify/discard that text :)
-Mikko
Reply to: