Bug#417995: initramfs-tools: lets ordinary users read the root filesystem's raw block device
Package: initramfs-tools
Version: 0.85f
Severity: critical
Tags: security patch
Justification: root security hole
A system that was booted from an initramfs created by initramfs-tools has
the following device node in the booted system's /dev:
| brw-r--r-- 1 root root 3, 7 Apr 6 00:38 /dev/root
This allows ordinary users to read the raw root filesystem, i.e.,
its block device. Bypassing the normal filesystem access restrictions
with this becomes easy through, e.g., /sbin/debugfs from e2fsprogs,
a "Priority: required" package. After reading /etc/shadow, passwords of
other accounts on the system may be cracked. Other authentication data
often is even unencrypted, like the boot loader password from
/etc/lilo.conf, which allows a local attacker to reboot with, e.g.,
init=/bin/bash, and take full control of the system. </blah>
The device node is created prior to mounting the root filesystem, by a
script shared between initramfs generator and generated initramfs.
klibc-utils' mknod doesn't seem to support passing permissions on the
command line, so umask or chmod would be needed. For "BUSYBOX=y" in
/etc/initramfs-tools/initramfs.conf, after applying the following patch,
running "update-initramfs -u" and rebooting, the device node's permissions
are sane:
| brw------- 1 root root 3, 7 Apr 6 00:50 /dev/root
--- /usr/share/initramfs-tools/scripts/functions.orig
+++ /usr/share/initramfs-tools/scripts/functions
@@ -231,6 +231,7 @@
;;
esac
mknod /dev/root b ${major} ${minor}
+ chmod go-rw /dev/root
ROOT=/dev/root
}
-- Package-specific info:
-- /proc/cmdline
auto BOOT_IMAGE=debian ro root=307 resume=/dev/hda4
-- /proc/filesystems
cramfs
ext3
-- lsmod
Module Size Used by
ipv6 226016 18
button 6672 0
ac 5188 0
battery 9636 0
nfs 202828 2
lockd 54344 2 nfs
nfs_acl 3584 1 nfs
sunrpc 138812 4 nfs,lockd,nfs_acl
dm_snapshot 15552 0
dm_mirror 19152 0
dm_mod 50232 2 dm_snapshot,dm_mirror
r128 34816 0
drm 61332 1 r128
3c509 11828 0
snd_ens1371 23616 1
tsdev 7520 0
gameport 14632 1 snd_ens1371
snd_ac97_codec 83104 1 snd_ens1371
snd_ac97_bus 2400 1 snd_ac97_codec
snd_pcm_oss 38368 0
snd_mixer_oss 15200 2 snd_pcm_oss
snd_pcm 68676 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
snd_seq_dummy 3844 0
snd_seq_oss 28768 0
snd_seq_midi 8192 0
snd_rawmidi 22560 2 snd_ens1371,snd_seq_midi
floppy 53156 0
psmouse 35016 0
parport_pc 32132 0
parport 33256 1 parport_pc
snd_seq_midi_event 7008 2 snd_seq_oss,snd_seq_midi
snd_seq 45680 6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event
pcspkr 3072 0
rtc 12372 0
serio_raw 6660 0
snd_timer 20996 2 snd_pcm,snd_seq
snd_seq_device 7820 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq
bttv 159732 0
video_buf 23012 1 bttv
firmware_class 9600 1 bttv
ir_common 27780 1 bttv
compat_ioctl32 1472 1 bttv
i2c_algo_bit 8424 1 bttv
btcx_risc 4776 1 bttv
tveeprom 13840 1 bttv
videodev 21120 1 bttv
v4l1_compat 12036 1 videodev
v4l2_common 20448 2 bttv,videodev
snd 47012 10 snd_ens1371,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device
soundcore 9248 2 snd
i2c_piix4 8140 0
snd_page_alloc 9640 1 snd_pcm
i2c_core 19680 4 bttv,i2c_algo_bit,tveeprom,i2c_piix4
shpchp 33024 0
intel_agp 21148 1
pci_hotplug 28704 1 shpchp
agpgart 29896 2 drm,intel_agp
evdev 9088 0
ext3 119240 2
jbd 52456 1 ext3
mbcache 8356 1 ext3
ide_generic 1408 0 [permanent]
ide_cd 36064 0
cdrom 32544 1 ide_cd
ide_disk 14848 4
piix 9444 0 [permanent]
sis900 21760 0
3c59x 40360 0
mii 5344 2 sis900,3c59x
generic 5476 0 [permanent]
uhci_hcd 21164 0
usbcore 112644 2 uhci_hcd
ide_core 110504 5 ide_generic,ide_cd,ide_disk,piix,generic
thermal 13608 0
processor 28840 1 thermal
fan 4804 0
-- kernel-img.conf
# Kernel Image management overrides
# See kernel-img.conf(5) for details
do_symlinks = Yes
do_initrd = Yes
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages initramfs-tools depends on:
ii busybox-cvs-static 20040623-1 Standalone rescue shell with tons
ii cpio 2.6-17 GNU cpio -- a program to manage ar
ii klibc-utils 1.4.34-1 small statically-linked utilities
ii module-init-tools 3.3-pre4-2 tools for managing Linux kernel mo
ii udev 0.105-4 /dev/ and hotplug management daemo
initramfs-tools recommends no packages.
-- no debconf information
--- /usr/share/initramfs-tools/scripts/functions.orig 2006-08-19 16:06:20.000000000 +0200
+++ /usr/share/initramfs-tools/scripts/functions 2007-04-06 00:43:35.000000000 +0200
@@ -231,6 +231,7 @@
;;
esac
mknod /dev/root b ${major} ${minor}
+ chmod go-rw /dev/root
ROOT=/dev/root
}
Reply to: