Bug#536195: marked as done (document UMASK initramfs.conf usage)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 05 Apr 2010 22:12:53 +0000
with message-id <E1NyuXN-000827-2B@ries.debian.org>
and subject line Bug#536195: fixed in initramfs-tools 0.94
has caused the Debian Bug report #536195,
regarding document UMASK initramfs.conf usage
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
536195: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536195
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: dropbear remote boot feature exposes initramfs host keys to regular users
• From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
• Date: Wed, 08 Jul 2009 00:54:32 -0400
• Message-id: <20090708045432.28266.93380.reportbug@pip.fifthhorseman.net>

Package: dropbear
Version: 0.52-2
Severity: normal

the dropbear package takes pains to set up the initramfs with its own
host keys for remote boot.  This is good!

It also makes those host keys unreadable to non-root users.  This is
also good!

0 dkg@pip:/tmp$ ls -l /etc/initramfs-tools/etc/dropbear/dropbear_*
-rw------- 1 root root 459 2009-07-08 00:08 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
-rw------- 1 root root 426 2009-07-08 00:08 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
0 dkg@pip:/tmp$

However, using stock initramfs-tools, the keys then get placed into a
world-readable initramfs, allowing any account on the server to
extract the host keys directly:

0 dkg@pip:/tmp$ mkdir -p etc/dropbear
0 dkg@pip:/tmp$ zcat /boot/initrd.img-$(uname -r) | cpio --extract etc/dropbear/dropbear_{dss,rsa}_host_key
40323 blocks
0 dkg@pip:/tmp$ ls -l etc/dropbear/
total 8
-rw------- 1 dkg dkg 459 2009-07-08 00:45 dropbear_dss_host_key
-rw------- 1 dkg dkg 426 2009-07-08 00:45 dropbear_rsa_host_key
0 dkg@pip:/tmp$ 

This exposes the remote boot setup to a potential MITM attack by any
system user who cared to copy the host keys out of the initramfs
before the reboot and is able to intercept (or misroute) network
traffic.

One really bad otucome of this is that it could allow for sniffing of
the cryptoroot passphrases.

    --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dropbear depends on:
ii  libc6                  2.9-12            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

dropbear recommends no packages.

Versions of packages dropbear suggests:
ii  openssh-client         1:5.1p1-5.opensc1 secure shell client, an rlogin/rsh
ii  runit                  2.0.0-1           a UNIX init scheme with service su
ii  udev                   0.141-1           /dev/ and hotplug management daemo

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 536195-close@bugs.debian.org
• Subject: Bug#536195: fixed in initramfs-tools 0.94
• From: maximilian attems <maks@debian.org>
• Date: Mon, 05 Apr 2010 22:12:53 +0000
• Message-id: <E1NyuXN-000827-2B@ries.debian.org>

Source: initramfs-tools
Source-Version: 0.94

We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive:

initramfs-tools_0.94.dsc
  to main/i/initramfs-tools/initramfs-tools_0.94.dsc
initramfs-tools_0.94.tar.gz
  to main/i/initramfs-tools/initramfs-tools_0.94.tar.gz
initramfs-tools_0.94_all.deb
  to main/i/initramfs-tools/initramfs-tools_0.94_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
maximilian attems <maks@debian.org> (supplier of updated initramfs-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Apr 2010 05:25:48 +0200
Source: initramfs-tools
Binary: initramfs-tools
Architecture: source all
Version: 0.94
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: maximilian attems <maks@debian.org>
Description: 
 initramfs-tools - tools for generating an initramfs
Closes: 415474 433708 465760 487409 506533 519800 523735 524534 525606 533903 534201 535008 536195 541864 543568 545728 547365 548711 554873 559535 559619 560266 561289 562561 565386 565416 567065 567189 568527 569033 570678 572858 573761 574553 575154 575157 576429
Changes: 
 initramfs-tools (0.94) unstable; urgency=low
 .
   * The "Litte Bang" release
 .
   [ maximilian attems ]
   * Nuke kernelextras hooks.
   * Create a klibc hook script.
   * Redefinde MODULES=most to not carry any fb driver per default.
   * Nuke framebuffer boot script.
   * Revert "hook-functions: Add hid_* modules."
   * Move busybox addition to a hook script.
   * mkinitramfs fix comment.
   * hook-functions: Fix mounted /sys check for openvz container.
   * initramfs-tools.8: fix boot example script to execute.
     scripts/functions. (closes: #545728)
   * Fix out-of-date-standards-version.
   * /etc/kernel hook script support for make deb-pkg generated linux-images
     and kernel-package. (closes: #523735, #561289)
   * update-initramfs: allow -t takeover on delete.
   * /etc/kernel/postrm.d/i-t: use now takeover on delete.
     (closes: #524534, #547365, #559619)
   * Nuke useless unused dir.
   * kernel hook scripts: Fix typo, add comments.
   * hook-funcitions: Only warn about missing firmware if /proc/modules
     exists. (closes: #560266, #575154)
   * mkinitramfs: Be opportunistic when calling modprobe thus showing
     errors. (closes: #554873)
   * copy_exec: Check if ldd is around.
   * scripts/local: Use blkid as backup fstype detection. (closes: #568527)
   * mkinitramfs: only copy modprobe conf files. (closes: #506533)
   * blacklist earlier at init-top stage.
   * scripts/local: fix blkid invocation.
   * init: export and unset BOOTIF.
   * init: rexport resume to reallow it's hardcoded usage. (closes: #572858)
   * update-initramfs: -d delete .bak file. (closes: #559535)
   * control: bump standards version without changes.
   * control: Clean up Uploaders field.
   * switch from cdbs to debhelper 7.
   * update-initramfs: Stop second guessing lilo usage. (closes: #574553)
   * mkinitramfs: allow to build initramfs for unmodular linux images.
     (closes: #415474, #433708)
   * initramfs.conf.5: document UMASK variable for sensitive initramfs.
     (closes: #536195)
   * update-initramfs: only run elilo if configured. (closes: #534201)
   * update-initramfs: fix previous elilo commit.
   * MODULES=DEP Use driver/module syfs attribute. (closes: #567189)
   * panic: quote variable.
   * MODULES=DEP: Check rootfs on mkinitramfs. (closes: #519800)
   * Use ata_generic driver on all_generic_ide bootarg
   * scripts/functions: add get_fstype() from scripts/local. (closes: #487409)
   * mkinitramfs.8: update date.
   * Keep acpi modules in initramfs so that udev can load them early.
   * mkinitramfs: no longer copy depmod.
   * init: Silence "Loading essential drivers..." on quiet boot.
   * hook-functions: Add btrfs to base modules.
   * init: export BOOT for casper and friends.
   * hooks/klibc: Keep gzip in initramfs.
   * modernize docs to todays standards.
   * examples: shipp old framebuffer boot script.
   * initramfs.conf.5, update-initramfs.conf.5: Add FILES section.
     (closes: #565386)
   * mkinitramfs: be silent if no modules.map was generated in first place.
   * debian/control: Add a breaks cryptsetup.
 .
   [ Tormod Volden ]
   * blacklist boot hook write to /etc/modprobe.d/initramfs.conf.
     (closes: #541864)
 .
   [ Michael Prokop ]
   * Fix path to nfsroot.txt in documentation.
   * hook-functions: Avoid firmware copy error. (closes: #570678)
 .
   [ Joey Hess ]
   * scripts/local: avoid mount -t unknown. (closes: #567065)
 .
   [ Avi Rozen ]
   * mkinitramfs: add all usb storage devices. (closes: #543568)
 .
   [ Ferenc Wagner ]
   * initramfs-tools: make the panic argument available in the rescue
     shell. (closes: #569033)
 .
   [ Maximilian Gass ]
   * mkinitramfs: KEYMAP option fails to work due to missing keymap.
     (closes: #565416)
 .
   [ Vagrant Cascadian ]
   * configure_networking: support BOOTIF variable set by pxelinux.
     (closes: #535008)
 .
   [ Ben Hutchings ]
   * copy_modules_dir: Take a list of exclusions after the base directory.
   * auto_add_modules: Copy all modules from net, excluding some
     subdirectories.
 .
   [ Scott James Remnant ]
   * init: Mount devtmpfs on /dev.
   * mkinitramfs: Call depmod before packing the initramfs.
     (closes: #465760, #562561)
   * init: load the netconsole module with netconsole bootarg
   * init: mount /dev/pts as well as /dev.
 .
   [ Ben Collins ]
   * update-initramfs: Default to not keep .bak backups.
 .
   [ Piotr Lewandowski ]
   * update-initramfs breaks if /etc/mtab is a symlink to /proc/mounts.
     (closes: #525606)
 .
   [ Martin Michlmayr ]
   * MODULES=dep fix boot with MMC. (closes: #548711)
 .
   [ Nikolaus Schulz ]
   * hook-functions: let dep_add_modules() recurse into lvm slave devices.
     (closes: 573761)
 .
   [ Anna Jonna Armannsdottir ]
   * configure_networking: Try repeatedly ipconfig with increasing
     timeout.
 .
   [ Colin Watson ]
   * mkinitramfs: Filter out looping or broken symlinks from the
     initramfs. (closes: #575157)
   * mkinitramfs: set initramfs root to 755.
 .
   [ Bert Schulze ]
   * initramfs-tools: support different compression tools in mkinitramfs.
     (closes: #533903)
   * mkinitramfs: -c compression support / commandline override.
     (closes: #576429)
Checksums-Sha1: 
 5afd5d57aa19a5c0209eaecc9b1b1f9465753318 922 initramfs-tools_0.94.dsc
 509fb16736997ecba36f641127ceab5bea18f68d 71586 initramfs-tools_0.94.tar.gz
 02aca8c6e29acf625100c1551faf1dbc5b4a17d0 78974 initramfs-tools_0.94_all.deb
Checksums-Sha256: 
 aee9a553dd3844532c464d9f649cbff02928568d037415dc8126bb6591e2b817 922 initramfs-tools_0.94.dsc
 25580b8f761e154cfa4efe6d4657b69b8a6403f7097dcfe2d50c2e64cc6f4e9b 71586 initramfs-tools_0.94.tar.gz
 a8abc65bdbf74bedb0bb77a8079d34b0b0ef8b41adde923e4748a673af770f3c 78974 initramfs-tools_0.94_all.deb
Files: 
 c1dbcaa6efb98082c45257309ba20312 922 utils optional initramfs-tools_0.94.dsc
 0295a063638ef0e44a38ef9fa3d7f93f 71586 utils optional initramfs-tools_0.94.tar.gz
 c66b55ac5c3d7e19cb57057489defa1d 78974 utils optional initramfs-tools_0.94_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku6RlIACgkQeW7Lc5tEHqh9MgCaAwfEx8qpBHws+lusrsXjVDTP
OTMAmwU4vowqNyQHgtoTdNywtdHts2q5
=MCMB
-----END PGP SIGNATURE-----

--- End Message ---