Bug#417995: initramfs-tools: lets ordinary users read the root filesystem's raw block device
On Fri, Apr 06, 2007 at 01:39:35AM +0200, Fabian Pietsch wrote:
> Package: initramfs-tools
> Version: 0.85f
> Severity: critical
> Tags: security patch
> Justification: root security hole
> A system that was booted from an initramfs created by initramfs-tools has
> the following device node in the booted system's /dev:
For the record, this only happens when using the lilo compatibility
functionality. It's still a security problem, of course, but this explains
why I'm not able to reproduce it on any of my systems.
> klibc-utils' mknod doesn't seem to support passing permissions on the
> command line, so umask or chmod would be needed. For "BUSYBOX=y" in
> /etc/initramfs-tools/initramfs.conf, after applying the following patch,
> running "update-initramfs -u" and rebooting, the device node's permissions
> are sane:
> | brw------- 1 root root 3, 7 Apr 6 00:50 /dev/root
> --- /usr/share/initramfs-tools/scripts/functions.orig
> +++ /usr/share/initramfs-tools/scripts/functions
> @@ -231,6 +231,7 @@
> ;;
> esac
>
> mknod /dev/root b ${major} ${minor}
> + chmod go-rw /dev/root
> ROOT=/dev/root
> }
This looks like an appropriate fix to me.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: