Bug#381677: initramfs-tools: Temporary files and initramfs world-readable

To: 381677@bugs.debian.org
Cc: lionel@mamane.lu
Subject: Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 14 Aug 2006 01:34:28 +0200
Message-id: <[🔎] 20060814013428.88535ad7.dr@jones.dk>
Reply-to: Jonas Smedegaard <dr@jones.dk>, 381677@bugs.debian.org
In-reply-to: <[🔎] 20060813143457.GD4868@baikonur.stro.at>
References: <[🔎] 20060806130659.GA6798@bagnat.mamane.lu> <[🔎] 20060812084316.GH24632@nancy> <[🔎] 20060812133942.aa7ebc96.dr@jones.dk> <[🔎] 20060813092602.GC6205@nancy> <[🔎] 20060813121313.75e0b3cd.dr@jones.dk> <[🔎] 20060813143457.GD4868@baikonur.stro.at>

On Sun, 13 Aug 2006 16:34:57 +0200 maximilian attems wrote:

> On Sun, Aug 13, 2006 at 12:13:13PM +0200, Jonas Smedegaard wrote:
> > On Sun, 13 Aug 2006 11:26:02 +0200 maximilian attems wrote:
> <snipp>
> > > please specify the info:
> > > i'm not 100% familiar with yaird code, so i'd be happy to know
> > > which only root readable part might get exposed?
> > 
> > I don't know which files the local admin chooses to hide from its
> > local users.
> 
> well that is easily done by setting /boot 0700
> or even tighter with selinux permissions.
>  
> > Backup routines ought to make sure to use equal or tighter access
> > rights than the originals copied. Same goes for ramdisk builders,
> > IMHO.
> 
> well targetting Debian default, this is handwaving until a special
> file is named. in the case of loop-aes i understand that the gpg key
> is a problem, but in general you didn't provide a backup for a leak
> claim:
> 
> a) /lib/modules is readable by anybody
> b) same goes with /boot/config that yaird uses
> c) /proc/cmdline, /proc/mount gives lots of info
> 
> so please be specific about the leakage.
> it is certainly against Debian standard permission setup.
> i may declare it needlessly paranoid.
>  
>  
> > > hmm indeed netboot should be supported out of the box,
> > > that is an counterarg.
> > 
> > Copying info as root and then exposing it to the whole (local)
> > network is certainly the special case, not a counter argument of
> > maintaining security in general!
> 
> which security? - again handwaving, please pinpoint an actual case
> in a Debian default setup.


Dear Max,

I did not file this bugreport. I agree with the worried bugreporter,
but am not in the mood for fighting, so if you cannot use my attempts at
helping you to a deeper understanding of *why* we are worried, then so
be it.

If you believe yaird does things in a wrong way, then please discuss it
through bugreports against that package.


 - Jonas

-- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm

Attachment: pgpvYi5HcTDYE.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: maximilian attems <maks@sternwelten.at>

References:
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: maximilian attems <maks@sternwelten.at>
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: Jonas Smedegaard <dr@jones.dk>
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: maximilian attems <maks@sternwelten.at>
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: Jonas Smedegaard <dr@jones.dk>
- Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
  - From: maximilian attems <maks@sternwelten.at>

Prev by Date: linux-2.6_2.6.17-6_m68k.changes is NEW
Next by Date: Bug#377643: initramfs-tools: patch to retry nfsmount
Previous by thread: Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
Next by thread: Bug#381677: initramfs-tools: Temporary files and initramfs world-readable
Index(es):
- Date
- Thread