[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation

On 18 June 2015 at 14:11, Christian PERRIER <bubulle@debian.org> wrote:
> (no need to CC me or debian-boot to answers as bug report answers
> already go to debian-boot)

Ah, sorry. Thanks for letting me know.

> Quoting Aliz 'Randomdude' (randomdude@gmail.com):
>
>> +Template: preseed/accept_preseed_from_DHCP
>> +Type: boolean
>> +Default: false
>> +Description: Should we accept a preseed URL from a DHCP server?
>> + Your DHCP server has provided extra commands or customisations to
>> + debian-installer. It is possible that these commands were sent by
>> + your network administrator; however, it is impossible to verify
>> + this, or to ensure they have not been altered by an attacker who
>> + already has access to your local network.
>
>
> This patch shouldn't be committed as is to the git repository. It
> needs rewording in the debconf template, to avoid a few style
> inconsistencies with the writing style of other D-I templates:
>
> - drop the use of first person ("we")
> - drop the use of "your"
>
> The template is also not marked for translation ("_Description"
> instead of "Description") even though it's clearly worded to be
> interactive...
>
>

Okay - my apologies for not reading the relevant "best packaging
practices" document first. Here's a revised patch:

diff -ur old/DEBIAN/postinst new/DEBIAN/postinst
--- old/DEBIAN/postinst 2014-09-24 06:16:34.000000000 +0100
+++ new/DEBIAN/postinst 2015-06-15 01:31:43.884000000 +0100
@@ -11,7 +11,13 @@

 dhcp_url=$(dhcp_preseed_url)
 if [ -n "$dhcp_url" ]; then
- preseed_location "$dhcp_url"
+ db_input critical preseed/accept_preseed_from_DHCP || true
+ db_go
+ db_get preseed/accept_preseed_from_DHCP
+ use_dhcp_url=$RET
+ if [ "$use_dhcp_url" == "true" ]; then
+ preseed_location "$dhcp_url"
+ fi
 fi
 preseed preseed/url
 preseed_command preseed/early_command
diff -ur old/DEBIAN/templates new/DEBIAN/templates
--- old/DEBIAN/templates 2014-09-24 06:16:33.000000000 +0100
+++ new/DEBIAN/templates 2015-06-15 01:24:27.396000000 +0100
@@ -1048,3 +1048,13 @@
 Default: d-i/jessie/./preseed.cfg
 Description: for internal use; can be preseeded
  Path added to local server to give the preseed root
+
+Template: preseed/accept_preseed_from_DHCP
+Type: boolean
+Default: false
+_Description: Accept a preseed URL from the DHCP server?
+ The DHCP server has provided extra commands or customisations to
+ debian-installer via a preseed file. It is possible that these
+ commands were set by the network administrator; however, it is
+ impossible to verify this, or to ensure they have not been altered
+ by an attacker who already has access to your local network. For
+ this reason, you should only accept these customisations if you
+ accept the risk they entail.
 Template: debian-installer/network-preseed/title

I've made it slightly more verbose as well. Is this acceptable, or
should I solicit comments on debian-l10n-english@lists.debian.org?

Thanks for your guidance here.

- Aliz Hammond
Reply to: