Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users

To: maximilian attems <max@stro.at>, Gerrit Pape <pape@smarden.org>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 536195@bugs.debian.org
Subject: Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
From: debian@x.ray.net
Date: Thu, 25 Mar 2010 14:46:35 +0100
Message-id: <4BAB693B.8040600@x.ray.net>
Reply-to: debian@x.ray.net, 536195@bugs.debian.org
In-reply-to: <20100325021003.GK21407@stro.at>
References: <20100325021003.GK21407@stro.at>

hi!

maximilian attems wrote:
> egrep UMASK /etc/initramfs-tools/initramfs.conf
> UMASK=0077
> 
> this was not yet documented in initramfs.conf.5,
> will be in next upload.

ah ic.

in this case i guess it were a good idea to automatically set UMASK=0077 in the initramfs config when installing dropbear.

regarding initramfs-tools:

when trying to locate the best[tm] place to put this, i first got a bit confused, and concluded with these findings regarding intramfs-tools in the end:

/etc/initramfs-tools/conf.d/			modularized 'initramfs.conf', i.e. used to configure mkinitramfs et al.
/usr/share/initramfs-tools/conf-hooks.d/	like /etc/initramfs-tools/conf.d/.

/usr/share/initramfs-tools/conf.d/		copied to the initramfs into conf/, i.e. used to configure stuff when booting the initramfs.

/etc/initramfs-tools/hooks/			hook scripts used to create initramfs.
/usr/share/initramfs-tools/hooks/		like /etc/initramfs-tools/hooks/.

/etc/initramfs-tools/scripts/			scripts used when booting the initramfs.
/usr/share/initramfs-tools/scripts/		like /etc/initramfs-tools/scripts/.

/usr/share/initramfs-tools/hooksconf.d/		unused?

/etc/initramfs-tools/modules			modules to load when booting the initramfs.
/usr/share/initramfs-tools/modules		like /etc/initramfs-tools/modules.

/usr/share/initramfs-tools/modules.d/		modularized 'modules'

i find duplicate places to put something quite a bit irritating. is there some functional advantage i just don't get?
otherwise i'd suggest adding an /etc/initramfs-tools/modules.d/, removing all the duplicate places keeping the /etc/initramfs-tools/* versions, and removing the hooksconf.d/. also i don't think it would be wrong to move the /usr/share/initramfs-tools/conf.d/ to something like /etc/initramfs-tools/initramfs-conf.d/, and also move the hook-functions and init to /etc/initramfs-tools/ - so the whole /usr/share/initramfs-tools/ could be spared.

in case of general approval, i'd provide a patch for this and could also take care to provide patches for the packages currently using /usr/initramfs-tools/ as far as i know of them (currently that would be: cryptsetup, dropbear, uswsusp, udev).

hm. actually that could be optimized even more. for example when building a cryptroot+dropbear initramfs, the host keys and authorization info for the initramfs is created and saved into /etc/initramfs-tools/ (in etc/ and root/).
a kind of 'initramfs template root' could be created (e.g. /etc/initramfs-tools/template/ or /etc/initramfs-tools/initramfs/), and the mentioned etc/ and root/ could be moved there. scripts/, conf/conf.d/, conf/modules and conf/modules.d/ (i.e. all the stuff that is meant to end up in the initramfs) could be moved there, too, so when creating an initramfs, this template dir could simply be used as a starting point. this way mkinitramfs could be reduced in complexity quite a bit i guess, while this should also add some degree of transparency and also flexibility for future features (esp. features by other packages, i guess).
of course i'd also be happy to provide a patch for this, in case it is regarded as a good thing [tm].

and to answer my initial question, i guess using conf.d/ for modularized configs done by other packages is a good idea. :)

regarding dropbear:

patch for the dropbear package attached.
gerrit, in case you approve of this patch but would like me to open a bug for dropbear with this patch, please just drop me a short note.

regards,

	Chris

diff -pruN ../a/dropbear-0.52/debian/initramfs/dropbear-conf ./dropbear-0.52/debian/initramfs/dropbear-conf
--- ../a/dropbear-0.52/debian/initramfs/dropbear-conf	2010-03-25 11:42:21.000000000 +0100
+++ ./dropbear-0.52/debian/initramfs/dropbear-conf	2010-03-25 11:48:38.000000000 +0100
@@ -6,3 +6,12 @@
 #
 
 #DROPBEAR=y
+
+#
+# UMASK: [ 4-DIGIT OCTAL UMASK ]
+#
+# umask to use when creating an initramfs
+#
+
+UMASK=0077
+
diff -pruN ../a/dropbear-0.52/debian/rules ./dropbear-0.52/debian/rules
--- ../a/dropbear-0.52/debian/rules	2010-03-25 11:42:21.000000000 +0100
+++ ./dropbear-0.52/debian/rules	2010-03-25 12:13:46.000000000 +0100
@@ -92,9 +92,9 @@ install: deb-checkdir deb-checkuid build
 	  '$(DIR)'/usr/share/initramfs-tools/scripts/init-bottom
 	install -m0755 debian/initramfs/bottom-dropbear \
 	  '$(DIR)'/usr/share/initramfs-tools/scripts/init-bottom/dropbear
-	install -d -m0755 '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d
+	install -d -m0755 '$(DIR)'/etc/initramfs-tools/conf.d
 	install -m0644 debian/initramfs/dropbear-conf \
-	  '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d/dropbear
+	  '$(DIR)'/etc/initramfs-tools/conf.d/dropbear
 	# man pages
 	install -d -m0755 '$(DIR)'/usr/share/man/man8
 	for i in dropbear.8 dropbearkey.8; do \

Reply to:

Follow-Ups:
- Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
  - From: maximilian attems <max@stro.at>

References:
- Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
  - From: maximilian attems <max@stro.at>

Prev by Date: Bug#517449: linux-image-2.6.26-2-vserver-amd64: still getting "task <task:pid> blocked for more than 120 seconds." kernel log messages
Next by Date: Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
Previous by thread: Processed: Re: dropbear remote boot feature exposes initramfs host keys to regular users
Next by thread: Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
Index(es):
- Date
- Thread