Bug#592834: grub-pc: File descriptor leaked on lvs invocation

To: Debian Bug Tracking System <592834@bugs.debian.org>
Subject: Bug#592834: grub-pc: File descriptor leaked on lvs invocation
From: David Ayers <ayers@fsfe.org>
Date: Sun, 16 Aug 2020 11:49:18 +0200
Message-id: <[🔎] ebf6a20143dc506ef26ac89eed4edbb1ba4694be.camel@fsfe.org>
Reply-to: David Ayers <ayers@fsfe.org>, 592834@bugs.debian.org
References: <20100813064524.GA12121@localhost.localnet>

Package: os-prober
Version: 1.77
Followup-For: Bug #592834

Dear Maintainer,

   * What led up to the situation?
This message still appears in stable upgrades.
   
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
sudo apt full-upgrade

   * What was the outcome of this action?
As a sysadmin one should investigate these warnings to insure you have
taken all precautions to
secure your system.  Search BTS you will find this bug report.  It es
mentioned that the warnings
are harmless without a in-depth documentation or rational of why they
are harmless.  Only the
prominence of the author offers comfort.  Continued investigation of
the references package
(vgs > lvm2) offers bug #466138 and bug #639773 as further indication
that these messages are
keep to be useful for security auditing under certain
constraints.  Constraints that a sysadmin
may hard be pressed to judge correctly.

I understand the argument that access to file descriptors to sub
processes could cause security
issues.  I also understand that the parent processes may want to keep
file descriptors open
across invocations of sub processes.  Maybe there should be some common
practice to handle
closing those descriptors during the invocation of the sub process
without burdening the parent
process.

   * What outcome did you expect instead?
But IIUC these warnings are targeted at developers and maintainers not
at the many more sysadmins
which scramble to secure their production systems.

If there is nothing that the os-prober developes or maintainers can do,
then maybe:
a) this bug should be reassigned to lvm2
b) there should be some assessment on whether some mechanism should be
introduced to suppress
these messages should only be emitted in the "testing" suite, and
suppressed once the package is
stable.

Thank you for considering!

-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages os-prober depends on:
ii  grub-common  2.02+dfsg1-20+deb10u2
ii  libc6        2.28-10

os-prober recommends no packages.

os-prober suggests no packages.

-- no debconf information
-- 
David Ayers - Team Austria
Free Software Foundation Europe (FSFE) []          (http://www.fsfe.org)
Become a supporter of the FSFE!      [][][]      (https://fsfe.org/join)
Your donation powers our work!         ||       (http://fsfe.org/donate)

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Bug#968441: partman-auto: Default /boot partition size is too small
Next by Date: Processed: Bug#966074 marked as pending in busybox
Previous by thread: Processed (with 1 error): Re: Bug#968441: partman-auto: Default /boot partition size is too small
Next by thread: Processed: Bug#966074 marked as pending in busybox
Index(es):
- Date
- Thread