Bug#504043: marked as done (initramfs: bail to shell on error: insecure default)

To: maximilian attems <max@stro.at>
Subject: Bug#504043: marked as done (initramfs: bail to shell on error: insecure default)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 14 Dec 2008 23:27:15 +0000
Message-id: <[🔎] handler.504043.D504043.122929699625566.ackdone@bugs.debian.org>
References: <20081214232239.GA3171@stro.at> <20081030190608.GA6914@darkside.22.kls.lan>

Your message dated Mon, 15 Dec 2008 00:22:39 +0100
with message-id <20081214232239.GA3171@stro.at>
and subject line Re: initramfs: bail to shell on error: insecure default
has caused the Debian Bug report #504043,
regarding initramfs: bail to shell on error: insecure default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
504043: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504043
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: initramfs: bail to shell on error: insecure default
From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
Date: Thu, 30 Oct 2008 20:06:08 +0100
Message-id: <20081030190608.GA6914@darkside.22.kls.lan>

Package: initramfs-tools
Version: 0.92l

Hello,

initrams created by initramfs-tools default to opening shell access to
the system on errors. This is an insecure default. Errors can be induced
on otherwise secured systems in many ways, like plugging in USB sticks,
eSATA devices, entering wrong passphrases, or whatever.
The rest of the system tries to ensure not to give away unauthorized
(root) shells by asking for passwords when entering maintenance or
single user mode, etc.

I know that initrams can be tweaked not to bail to a shell as a
side-effect of setting the panic= kernel parameter. However, users have
to explicitely choose this secure way. A cleaner approach w.r.t. secure
defaults, IMHO, would be to let users choose the insecure way by
setting a `bailtoshell' parameter or something like that (probably at
the kernel commandline to allow emergency intervention).

I'm not sure about the severity of this bug report, so I leave that up
to you.


regards
   Mario
-- 
> As Luke Leighton said once on samba-ntdom, "now, what was that about
> rebooting?   that was so long ago, i had to look it up with man -k."

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 504043-done@bugs.debian.org

Subject: Re: initramfs: bail to shell on error: insecure default

From: maximilian attems <max@stro.at>

Date: Mon, 15 Dec 2008 00:22:39 +0100

Message-id: <20081214232239.GA3171@stro.at>
yes we try to be user friendly.
the bailout does not happen in usual conditions.
see longer postings in d-kernel and use panic if you don't want
that for a secured env.

not a bug but a design decision, closing.

-- 
maks
--- End Message ---

Reply to:

Prev by Date: Bug#507676: marked as done (initramfs-tools: does not wait for usb disks in fstab to show up)
Next by Date: Processed: tagging 503115
Previous by thread: Bug#383865: linux-source-2.6.17: crash: hostap_cs & orinoco_cs both loading for same card?
Next by thread: Processed: tagging 503115
Index(es):
- Date
- Thread