Bug#356939: d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#356939: d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd
From: Joey Hess <joeyh@debian.org>
Date: Tue, 14 Mar 2006 16:29:45 -0500
Message-id: <[🔎] 20060314212944.GA25189@kitenet.net>
Reply-to: Joey Hess <joeyh@debian.org>, 356939@bugs.debian.org

Package: passwd, base-config
Severity: grave
Tags: security patch d-i

The debian-installer team has determined that various sensative
information may be leaked into world-readable log files during the
Debian installation process (sarge, etch, sid [1]). This includes:

 - preseeded passwords for root and other users if a preseed file is
   being used for an automated install (via the debconf-seed log file in
   sarge, and the cdebconf database in etch (bug #356845))
 - pppoeconf passwords in the base-config log file (bug #254068)
 - various other information about what software was installed on the
   system, and the configuration of the system

Note that unlike the similar security issues that affected Ubuntu, root
passwords are not leaked into the log files during regular,
non-preseeded installs.

The attached patches to passwd's postinst close these holes for already
installed systems, by chmoding all affected log files to mode 600. There
are two patches, one is against passwd 1:4.0.14-7 from unstable, and one
is against passwd 1:4.0.3-31sarge5 from stable. I've also include a
patch for base-confg in stable to do the same thing[2]. In combination with
installation-report 2.13 (unstable), this will fix the issue in all
circumstances.

Note that passwd is not where this bug originated, and is only being
involved in the fix because there is no better place to put the fix.
Unfortunatly, in systems installed by the sarge installer, some of the
affected log files are not "owned" by any particular package, so the fix
has to go into an unrelated package that is installed/upgraded on every
system.

-- 
see shy jo

[1] oldstable may also be vulnerable to the #254068 part of this issue,
    but I have not investigated it.
[2] The passwd fix is needed to fix already installed systems on
    upgrade now, while the base-config fix is needed to secure systems
    installed after the passwd package is accepted into the next stable
    point release.

diff -ur old/shadow-4.0.14/debian/changelog shadow-4.0.14/debian/changelog
--- old/shadow-4.0.14/debian/changelog	2006-03-14 15:25:49.000000000 -0500
+++ shadow-4.0.14/debian/changelog	2006-03-14 16:13:19.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.14-8) unstable; urgency=high
+
+  * passwd.postinst: On upgrades from any prior version, chmod 600 various
+    base-config and d-i log files that might contain sensative information,
+    including in some cases, passwords.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:12:11 -0500
+
 shadow (1:4.0.14-7) unstable; urgency=low
 
   * The "Carré d'Aurillac" release (let's stay in Cantal)
diff -ur old/shadow-4.0.14/debian/passwd.postinst shadow-4.0.14/debian/passwd.postinst
--- old/shadow-4.0.14/debian/passwd.postinst	2006-03-14 15:25:49.000000000 -0500
+++ shadow-4.0.14/debian/passwd.postinst	2006-03-14 16:22:36.000000000 -0500
@@ -4,6 +4,19 @@
 
 case "$1" in
 configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-8"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
     rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
 	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
 	then

diff -ur old/shadow-4.0.3/debian/changelog shadow-4.0.3/debian/changelog
--- old/shadow-4.0.3/debian/changelog	2006-03-14 16:23:51.000000000 -0500
+++ shadow-4.0.3/debian/changelog	2006-03-14 16:16:25.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.3-31sarge6) stable-security; urgency=high
+
+  * passwd.postinst: On upgrades from any prior version, chmod 600 various
+    base-config and d-i log files that might contain sensative information,
+    including in some cases, passwords.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:14:26 -0500
+
 shadow (1:4.0.3-31sarge5) testing-proposed-updates; urgency=high
 
   * Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
diff -ur old/shadow-4.0.3/debian/passwd.postinst shadow-4.0.3/debian/passwd.postinst
--- old/shadow-4.0.3/debian/passwd.postinst	2006-03-14 16:23:51.000000000 -0500
+++ shadow-4.0.3/debian/passwd.postinst	2006-03-14 16:17:28.000000000 -0500
@@ -10,6 +10,19 @@
 
 if test "$1" = configure
 then
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.3-31sarge6"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+    
     rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
 	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
 	then

diff -ur old/base-config-2.53.10/base-config base-config-2.53.10.1/base-config
--- old/base-config-2.53.10/base-config	2005-05-13 17:00:26.000000000 -0400
+++ base-config-2.53.10.1/base-config	2006-03-14 16:02:24.000000000 -0500
@@ -28,6 +28,14 @@
 SHELL=/bin/sh
 export SHELL
 
+# Fix permissions of log files to avoid data leakage.
+for log in /var/log/base-config* \
+	   $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+	if [ -e "$log" ]; then
+		chmod 600 "$log"
+	fi
+done
+
 gettext "Configuring the base system..."
 echo
 
diff -ur old/base-config-2.53.10/debian/changelog base-config-2.53.10.1/debian/changelog
--- old/base-config-2.53.10/debian/changelog	2005-05-15 14:56:15.000000000 -0400
+++ base-config-2.53.10.1/debian/changelog	2006-03-14 16:26:02.000000000 -0500
@@ -1,3 +1,11 @@
+base-config (2.53.10.1) stable-security; urgency=high
+
+  * Add permission fixing code to base-config to deal with data leakage in
+    d-i and base-config log files. chmod all possibly affected log files 600.
+  * Disable Mirrors.masterlist downloading for stable build.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:02:28 -0500
+
 base-config (2.53.10) testing; urgency=low
 
   * Christian Perrier
diff -ur old/base-config-2.53.10/debian/rules base-config-2.53.10.1/debian/rules
--- old/base-config-2.53.10/debian/rules	2005-05-13 17:00:22.000000000 -0400
+++ base-config-2.53.10.1/debian/rules	2006-03-14 16:26:25.000000000 -0500
@@ -2,6 +2,7 @@
 
 CVSGET=cvs -d":pserver:anonymous@cvs.debian.org:/cvs/webwml" \
 	co -p webwml/english/mirror/Mirrors.masterlist
+ONLINE=n
 
 build:
 	# Freshen Mirrors.masterlist file, but allow failure.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#356939: marked as done (d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Bug#356735: Compiling libc-udeb with -Os ?
Next by Date: Processing of prebaseconfig_1.16_i386.changes
Previous by thread: Bug#356912: marked as done (bug report against installation-reports (install successfull))
Next by thread: Bug#356939: marked as done (d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd)
Index(es):
- Date
- Thread