Bug#536195: dropbear remote boot feature exposes initramfs host keys to regular users
On Thu, Mar 25, 2010 at 02:46:35PM +0100, debian@x.ray.net wrote:
>
> maximilian attems wrote:
> > egrep UMASK /etc/initramfs-tools/initramfs.conf
> > UMASK=0077
> >
> > this was not yet documented in initramfs.conf.5,
> > will be in next upload.
>
> ah ic.
:)
> in this case i guess it were a good idea to automatically set
> UMASK=0077 in the initramfs config when installing dropbear.
yep
>
> regarding initramfs-tools:
quick answer /etc is for local admin /usr is for packages.
first place overrides the later one.
so your packaing change looks wrong to me.
indeed some directories are only for mkinitramfs configuring
others for boot time variables.
> when trying to locate the best[tm] place to put this, i first got a
> bit confused, and concluded with these findings regarding
> intramfs-tools in the end:
your overview totaly confused me and partialy wrong let's start with
important things, please checkout man initramfs-tools.
1) scripts to add stuff to initramfs
/usr/share/initramfs-tools/hooks
/etc/initramfs-tools/hooks
2) boot scripts
/usr/share/initramfs-tools/scripts
/etc/initramfs-tools/scripts
3) conf for mkintramfs for packages (does not land in initramfs)
/usr/share/initramfs-tools/conf-hooks.d/
4) conf for boot scripts
/usr/share/initramfs-tools/conf.d/
/etc/initramfs-tools/conf.d/
modules loading is a seperate story and is added
in /usr/share/initramfs-tools/modules and corresponding file in /etc
old unused dir is
/usr/share/initramfs-tools/hooksconf.d
what you could help at is audit scripts in
/usr/share/initramfs-tools/conf.d/
and check that they don't set an mkinitramfs variable.
then the call in mkinitramfs to source them could be finaly droped.
concerning templating this is what each perl module likes to reinvent
badly, don't think we need that complexity.
>
> and to answer my initial question, i guess using conf.d/ for
> modularized configs done by other packages is a good idea. :)
depends what for if it's for bootvariables then it is fine and good.
for mkinitramfs i'd be happy to drop.
> regarding dropbear:
>
> patch for the dropbear package attached. gerrit, in case you approve
> of this patch but would like me to open a bug for dropbear with this
> patch, please just drop me a short note.
seems good in general, just the packaging change can be dropped.
>
> regards,
>
> Chris
> diff -pruN ../a/dropbear-0.52/debian/initramfs/dropbear-conf ./dropbear-0.52/debian/initramfs/dropbear-conf
> --- ../a/dropbear-0.52/debian/initramfs/dropbear-conf 2010-03-25 11:42:21.000000000 +0100
> +++ ./dropbear-0.52/debian/initramfs/dropbear-conf 2010-03-25 11:48:38.000000000 +0100
> @@ -6,3 +6,12 @@
> #
>
> #DROPBEAR=y
> +
> +#
> +# UMASK: [ 4-DIGIT OCTAL UMASK ]
> +#
> +# umask to use when creating an initramfs
> +#
> +
> +UMASK=0077
> +
> diff -pruN ../a/dropbear-0.52/debian/rules ./dropbear-0.52/debian/rules
> --- ../a/dropbear-0.52/debian/rules 2010-03-25 11:42:21.000000000 +0100
> +++ ./dropbear-0.52/debian/rules 2010-03-25 12:13:46.000000000 +0100
> @@ -92,9 +92,9 @@ install: deb-checkdir deb-checkuid build
> '$(DIR)'/usr/share/initramfs-tools/scripts/init-bottom
> install -m0755 debian/initramfs/bottom-dropbear \
> '$(DIR)'/usr/share/initramfs-tools/scripts/init-bottom/dropbear
> - install -d -m0755 '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d
> + install -d -m0755 '$(DIR)'/etc/initramfs-tools/conf.d
> install -m0644 debian/initramfs/dropbear-conf \
> - '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d/dropbear
> + '$(DIR)'/etc/initramfs-tools/conf.d/dropbear
> # man pages
> install -d -m0755 '$(DIR)'/usr/share/man/man8
> for i in dropbear.8 dropbearkey.8; do \
Reply to: