Bug#417995: marked as done (initramfs-tools: lets ordinary users read the root filesystem's raw block device)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 06 Apr 2007 07:47:02 +0000
with message-id <E1HZj9y-00078d-Nt@ries.debian.org>
and subject line Bug#417995: fixed in initramfs-tools 0.85g
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: initramfs-tools: lets ordinary users read the root filesystem's raw block device
• From: Fabian Pietsch <fabian@canvon.dyndns.org>
• Date: Fri, 06 Apr 2007 01:39:35 +0200
• Message-id: <[🔎] 20070405233935.2925.63334.reportbug@zzz4.int.zzznowman.dyndns.org>

Package: initramfs-tools
Version: 0.85f
Severity: critical
Tags: security patch
Justification: root security hole

A system that was booted from an initramfs created by initramfs-tools has
the following device node in the booted system's /dev:

| brw-r--r-- 1 root root 3, 7 Apr  6 00:38 /dev/root

This allows ordinary users to read the raw root filesystem, i.e.,
its block device. Bypassing the normal filesystem access restrictions
with this becomes easy through, e.g., /sbin/debugfs from e2fsprogs,
a "Priority: required" package. After reading /etc/shadow, passwords of
other accounts on the system may be cracked. Other authentication data
often is even unencrypted, like the boot loader password from
/etc/lilo.conf, which allows a local attacker to reboot with, e.g.,
init=/bin/bash, and take full control of the system.  </blah>

The device node is created prior to mounting the root filesystem, by a
script shared between initramfs generator and generated initramfs.
klibc-utils' mknod doesn't seem to support passing permissions on the
command line, so umask or chmod would be needed. For "BUSYBOX=y" in
/etc/initramfs-tools/initramfs.conf, after applying the following patch,
running "update-initramfs -u" and rebooting, the device node's permissions
are sane:

| brw------- 1 root root 3, 7 Apr  6 00:50 /dev/root

--- /usr/share/initramfs-tools/scripts/functions.orig
+++ /usr/share/initramfs-tools/scripts/functions
@@ -231,6 +231,7 @@
 		;;
 	esac
 
 	mknod /dev/root b ${major} ${minor}
+	chmod go-rw /dev/root
 	ROOT=/dev/root
 }


-- Package-specific info:
-- /proc/cmdline
auto BOOT_IMAGE=debian ro root=307 resume=/dev/hda4

-- /proc/filesystems
	cramfs
	ext3

-- lsmod
Module                  Size  Used by
ipv6                  226016  18 
button                  6672  0 
ac                      5188  0 
battery                 9636  0 
nfs                   202828  2 
lockd                  54344  2 nfs
nfs_acl                 3584  1 nfs
sunrpc                138812  4 nfs,lockd,nfs_acl
dm_snapshot            15552  0 
dm_mirror              19152  0 
dm_mod                 50232  2 dm_snapshot,dm_mirror
r128                   34816  0 
drm                    61332  1 r128
3c509                  11828  0 
snd_ens1371            23616  1 
tsdev                   7520  0 
gameport               14632  1 snd_ens1371
snd_ac97_codec         83104  1 snd_ens1371
snd_ac97_bus            2400  1 snd_ac97_codec
snd_pcm_oss            38368  0 
snd_mixer_oss          15200  2 snd_pcm_oss
snd_pcm                68676  3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
snd_seq_dummy           3844  0 
snd_seq_oss            28768  0 
snd_seq_midi            8192  0 
snd_rawmidi            22560  2 snd_ens1371,snd_seq_midi
floppy                 53156  0 
psmouse                35016  0 
parport_pc             32132  0 
parport                33256  1 parport_pc
snd_seq_midi_event      7008  2 snd_seq_oss,snd_seq_midi
snd_seq                45680  6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event
pcspkr                  3072  0 
rtc                    12372  0 
serio_raw               6660  0 
snd_timer              20996  2 snd_pcm,snd_seq
snd_seq_device          7820  5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq
bttv                  159732  0 
video_buf              23012  1 bttv
firmware_class          9600  1 bttv
ir_common              27780  1 bttv
compat_ioctl32          1472  1 bttv
i2c_algo_bit            8424  1 bttv
btcx_risc               4776  1 bttv
tveeprom               13840  1 bttv
videodev               21120  1 bttv
v4l1_compat            12036  1 videodev
v4l2_common            20448  2 bttv,videodev
snd                    47012  10 snd_ens1371,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device
soundcore               9248  2 snd
i2c_piix4               8140  0 
snd_page_alloc          9640  1 snd_pcm
i2c_core               19680  4 bttv,i2c_algo_bit,tveeprom,i2c_piix4
shpchp                 33024  0 
intel_agp              21148  1 
pci_hotplug            28704  1 shpchp
agpgart                29896  2 drm,intel_agp
evdev                   9088  0 
ext3                  119240  2 
jbd                    52456  1 ext3
mbcache                 8356  1 ext3
ide_generic             1408  0 [permanent]
ide_cd                 36064  0 
cdrom                  32544  1 ide_cd
ide_disk               14848  4 
piix                    9444  0 [permanent]
sis900                 21760  0 
3c59x                  40360  0 
mii                     5344  2 sis900,3c59x
generic                 5476  0 [permanent]
uhci_hcd               21164  0 
usbcore               112644  2 uhci_hcd
ide_core              110504  5 ide_generic,ide_cd,ide_disk,piix,generic
thermal                13608  0 
processor              28840  1 thermal
fan                     4804  0 

-- kernel-img.conf
# Kernel Image management overrides
# See kernel-img.conf(5) for details
do_symlinks = Yes
do_initrd = Yes


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages initramfs-tools depends on:
ii  busybox-cvs-static            20040623-1 Standalone rescue shell with tons 
ii  cpio                          2.6-17     GNU cpio -- a program to manage ar
ii  klibc-utils                   1.4.34-1   small statically-linked utilities 
ii  module-init-tools             3.3-pre4-2 tools for managing Linux kernel mo
ii  udev                          0.105-4    /dev/ and hotplug management daemo

initramfs-tools recommends no packages.

-- no debconf information

--- /usr/share/initramfs-tools/scripts/functions.orig	2006-08-19 16:06:20.000000000 +0200
+++ /usr/share/initramfs-tools/scripts/functions	2007-04-06 00:43:35.000000000 +0200
@@ -231,6 +231,7 @@
 		;;
 	esac
 
 	mknod /dev/root b ${major} ${minor}
+	chmod go-rw /dev/root
 	ROOT=/dev/root
 }

--- End Message ---

--- Begin Message ---

• To: 417995-close@bugs.debian.org
• Subject: Bug#417995: fixed in initramfs-tools 0.85g
• From: maximilian attems <maks@debian.org>
• Date: Fri, 06 Apr 2007 07:47:02 +0000
• Message-id: <E1HZj9y-00078d-Nt@ries.debian.org>

Source: initramfs-tools
Source-Version: 0.85g

We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive:

initramfs-tools_0.85g.dsc
  to pool/main/i/initramfs-tools/initramfs-tools_0.85g.dsc
initramfs-tools_0.85g.tar.gz
  to pool/main/i/initramfs-tools/initramfs-tools_0.85g.tar.gz
initramfs-tools_0.85g_all.deb
  to pool/main/i/initramfs-tools/initramfs-tools_0.85g_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 417995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
maximilian attems <maks@debian.org> (supplier of updated initramfs-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  6 Apr 2007 09:19:13 +0200
Source: initramfs-tools
Binary: initramfs-tools
Architecture: source all
Version: 0.85g
Distribution: unstable
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: maximilian attems <maks@debian.org>
Description: 
 initramfs-tools - tools for generating an initramfs
Closes: 417995
Changes: 
 initramfs-tools (0.85g) unstable; urgency=high
 .
   * SECURITY scripts/functions: Set permission of created root dev in
     parse_numeric() to 600. This bug only affects lilo boots. Thanks
     Fabian Pietsch <fabian@canvon.dyndns.org> and Goswin von Brederlow
     <brederlo@informatik.uni-tuebingen.de> for patch input. (closes: 417995)
 .
   * debian/control: Change Uploaders email.
Files: 
 8eb3dfb6409c309f1ab82d4b18cfcfe3 621 utils optional initramfs-tools_0.85g.dsc
 f890e42cd4aa92f11bb2e01602d0ee34 56936 utils optional initramfs-tools_0.85g.tar.gz
 bbb6620b5d6c629aeb501bdad20c37c4 63290 utils optional initramfs-tools_0.85g_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGFfUheW7Lc5tEHqgRAltiAJ9e9VLSkdUAZvH/BMr7Qt8i7yjWFQCgnOQs
K8u30fokWDXJFoiE/3vfWAQ=
=6Iah
-----END PGP SIGNATURE-----

--- End Message ---