Bug#655175: marked as done (initramfs-tools: /run/initramfs is user-writable)

To: maximilian attems <maks@debian.org>
Subject: Bug#655175: marked as done (initramfs-tools: /run/initramfs is user-writable)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 06 Jun 2012 13:23:29 +0000
Message-id: <[🔎] handler.655175.D655175.13389886539835.ackdone@bugs.debian.org>
References: <E1ScG71-0004jx-EE@franck.debian.org> <20120108234610.7018.84953.reportbug@ravenclaw.codelibre.net>

Your message dated Wed, 06 Jun 2012 13:17:23 +0000
with message-id <E1ScG71-0004jx-EE@franck.debian.org>
and subject line Bug#655175: fixed in initramfs-tools 0.104
has caused the Debian Bug report #655175,
regarding initramfs-tools: /run/initramfs is user-writable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
655175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655175
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: initramfs-tools: /run/initramfs is user-writable
From: Roger Leigh <rleigh@debian.org>
Date: Sun, 08 Jan 2012 23:46:10 +0000
Message-id: <20120108234610.7018.84953.reportbug@ravenclaw.codelibre.net>

Package: initramfs-tools
Version: 0.99
Severity: important

% ls -ld /run/initramfs
drwsrwsrwt 2 root root 40 Jan  8 23:42 /run/initramfs

Is there any reason for this directory to be user-writable either
before or after the handover to /sbin/init?  AFAIK all the code
run in the initramfs is as root, and no users really exist at this
point, making the need for a user to write to it moot.  After the

When the system is booted and users can log in, there is nothing
to stop a user denial of service by filling up /run through the
creation of files in /run/initramfs.  I can't think of any valid
reason to give a user write access to a filesystem only intended
to be writable by system processes.

I would suggest creating it with 0755 permissions for safety and
security.


Regards,
Roger

-- Package-specific info:
-- initramfs sizes
-- /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-3.1.0-1-amd64 root=/dev/mapper/ravenclaw-root ro

-- resume
RESUME=/dev/mapper/ravenclaw-swap
-- /proc/filesystems
	btrfs
	ext4
	fuseblk

-- lsmod
Module                  Size  Used by
tun                    18337  2 
sit                    17561  0 
tunnel4                12629  1 sit
parport_pc             22364  0 
ppdev                  12763  0 
lp                     17149  0 
parport                31858  3 parport_pc,ppdev,lp
acpi_cpufreq           12935  1 
mperf                  12453  1 acpi_cpufreq
cpufreq_powersave      12454  0 
cpufreq_stats          12866  0 
cpufreq_conservative    13147  0 
cpufreq_userspace      12576  0 
binfmt_misc            12957  1 
fuse                   61981  1 
nfsd                  259717  2 
nfs                   312135  0 
lockd                  67328  2 nfsd,nfs
fscache                36739  1 nfs
auth_rpcgss            37143  2 nfsd,nfs
nfs_acl                12511  2 nfsd,nfs
sunrpc                173516  6 nfsd,nfs,lockd,auth_rpcgss,nfs_acl
dm_snapshot            32737  5 
loop                   22597  0 
firewire_sbp2          18077  0 
kvm_intel             121792  0 
kvm                   278183  1 kvm_intel
snd_hda_codec_hdmi     26548  1 
snd_hda_codec_analog    77709  1 
snd_hda_intel          26182  0 
snd_hda_codec          72920  3 snd_hda_codec_hdmi,snd_hda_codec_analog,snd_hda_intel
snd_hwdep              13186  1 snd_hda_codec
snd_pcm_oss            41081  0 
snd_mixer_oss          17916  1 snd_pcm_oss
snd_pcm                63744  4 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_pcm_oss
snd_seq_midi           12848  0 
snd_rawmidi            23060  1 snd_seq_midi
snd_seq_midi_event     13316  1 snd_seq_midi
radeon                648863  2 
snd_seq                45093  2 snd_seq_midi,snd_seq_midi_event
ttm                    48725  1 radeon
drm_kms_helper         27227  1 radeon
drm                   167371  4 radeon,ttm,drm_kms_helper
snd_timer              22917  2 snd_pcm,snd_seq
snd_seq_device         13176  3 snd_seq_midi,snd_rawmidi,snd_seq
i2c_i801               16870  0 
i2c_algo_bit           12841  1 radeon
snd                    52798  12 snd_hda_codec_hdmi,snd_hda_codec_analog,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_rawmidi,snd_seq,snd_timer,snd_seq_device
processor              27949  1 acpi_cpufreq
iTCO_wdt               17081  0 
iTCO_vendor_support    12704  1 iTCO_wdt
soundcore              13065  1 snd
i2c_core               23876  5 radeon,drm_kms_helper,drm,i2c_i801,i2c_algo_bit
psmouse                55543  0 
thermal_sys            18040  1 processor
evdev                  17562  3 
pcspkr                 12579  0 
snd_page_alloc         13003  2 snd_hda_intel,snd_pcm
power_supply           13475  1 radeon
serio_raw              12850  0 
asus_atk0110           17297  0 
button                 12937  0 
ext4                  312988  5 
mbcache                13065  1 ext4
jbd2                   62015  1 ext4
crc16                  12343  1 ext4
btrfs                 478019  1 
zlib_deflate           25638  1 btrfs
crc32c                 12656  1 
libcrc32c              12426  1 btrfs
dm_mod                 63353  49 dm_snapshot
raid1                  30716  1 
md_mod                 87742  2 raid1
sr_mod                 21899  0 
cdrom                  35401  1 sr_mod
sd_mod                 36136  6 
crc_t10dif             12348  1 sd_mod
usbhid                 36379  0 
hid                    77192  1 usbhid
uhci_hcd               26865  0 
ahci                   24997  4 
libahci                22860  1 ahci
libata                140545  2 ahci,libahci
firewire_ohci          31530  0 
skge                   40815  0 
firewire_core          48407  2 firewire_sbp2,firewire_ohci
crc_itu_t              12347  1 firewire_core
ehci_hcd               40215  0 
sky2                   45309  0 
scsi_mod              162376  4 firewire_sbp2,sr_mod,sd_mod,libata
usbcore               124095  4 usbhid,uhci_hcd,ehci_hcd

-- /etc/initramfs-tools/modules

-- /etc/kernel-img.conf
# Kernel image management overrides
# See kernel-img.conf(5) for details
do_symlinks = yes
do_bootloader = no
do_initrd = yes
link_in_boot = no

-- /etc/initramfs-tools/initramfs.conf
MODULES=most
BUSYBOX=y
KEYMAP=n
COMPRESS=gzip
BOOT=local
DEVICE=
NFSROOT=auto

-- /etc/initramfs-tools/update-initramfs.conf
update_initramfs=yes
backup_initramfs=no

-- /proc/mdstat
Personalities : [raid1] 
md1 : active raid1 sdb3[0] sda3[1]
      976752504 blocks super 1.2 [2/2] [UU]
      
unused devices: <none>

-- mkinitramfs hooks
/etc/initramfs-tools/hooks/:

/usr/share/initramfs-tools/hooks:
btrfs
busybox
dmsetup
fuse
keymap
klibc
lvm2
mdadm
ntfs_3g
thermal
udev


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (550, 'unstable'), (500, 'testing'), (400, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages initramfs-tools depends on:
ii  cpio               2.11-7
ii  findutils          4.4.2-4
ii  klibc-utils        1.5.25-1.1
ii  module-init-tools  3.16-1
ii  udev               175-3

Versions of packages initramfs-tools recommends:
ii  busybox  1:1.19.3-5

Versions of packages initramfs-tools suggests:
ii  bash-completion  1:1.3-1

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 655175-close@bugs.debian.org
Subject: Bug#655175: fixed in initramfs-tools 0.104
From: maximilian attems <maks@debian.org>
Date: Wed, 06 Jun 2012 13:17:23 +0000
Message-id: <E1ScG71-0004jx-EE@franck.debian.org>

Source: initramfs-tools
Source-Version: 0.104

We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive:

initramfs-tools_0.104.dsc
  to main/i/initramfs-tools/initramfs-tools_0.104.dsc
initramfs-tools_0.104.tar.gz
  to main/i/initramfs-tools/initramfs-tools_0.104.tar.gz
initramfs-tools_0.104_all.deb
  to main/i/initramfs-tools/initramfs-tools_0.104_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655175@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
maximilian attems <maks@debian.org> (supplier of updated initramfs-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Jun 2012 14:48:26 +0200
Source: initramfs-tools
Binary: initramfs-tools
Architecture: source all
Version: 0.104
Distribution: unstable
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: maximilian attems <maks@debian.org>
Description: 
 initramfs-tools - generic modular initramfs generator
Closes: 601324 652525 655175 660297 668616 670496 674484
Changes: 
 initramfs-tools (0.104) unstable; urgency=high
 .
   [ Michael Prokop ]
   * [9e961c6] docs: clarify that PREREQ is only honored inside single directory.
     Thanks to Marc Haber <mh+debian-bugs@zugschlus.de> for spotting thjs issue
     (Closes: #601324)
 .
   [ maximilian attems ]
   * [b60b440] debian/control: Depend on kmod or m-i-t.
   * [f87e71b] hook-functions: handle rootfs output from mount(8).
     (Closes: #668616)
   * [042c5c9] init: tighten /run/initramfs permissions. (Closes: #655175)
   * [df4ffdf] scripts/functions: panic() don't abort on modprobe failures.
     (Closes: #674484)
 .
   [ Vagrant Cascadian ]
   * [ddbdb4f] init: busybox's switch_root doesn't handle /proc or /sys moving.
     (Closes: #660297)
 .
   [ Balwinder S Dheeman ]
   * [3ff8ee6] init: fixes ignored $tmpfs_size. (Closes: #670496)
 .
   [ Josh Triplett ]
   * [2c5c942] initramfs-tools: speed-up by avoiding forks in the per-module
     hot path. (Closes: #652525)
Checksums-Sha1: 
 cbcfdeeb67bfcb7441c197b47dc675eff922f049 1052 initramfs-tools_0.104.dsc
 1218b9ab4df1557ae4aa2180d46b8740b94af9f0 84519 initramfs-tools_0.104.tar.gz
 57e7b2faada169f5978d64c936b4e2ce0d6aa4c9 91002 initramfs-tools_0.104_all.deb
Checksums-Sha256: 
 45c035c998f8c2ec5a8ca1f50df3e91b30f306bcf1c016bf38ec4806daae30d1 1052 initramfs-tools_0.104.dsc
 6048b66aa067de06419c53353f632315b279eab957cd17157f83c3c60b670e6f 84519 initramfs-tools_0.104.tar.gz
 7817d3b28de728e515078d3452efefb60136ac21ce8c5821fb46ef735f156f73 91002 initramfs-tools_0.104_all.deb
Files: 
 b0eadf22423992235c55d3a0ca49723d 1052 utils optional initramfs-tools_0.104.dsc
 fb46dba7c1886c6020586d99ecfb7519 84519 utils optional initramfs-tools_0.104.tar.gz
 e6519d7618d6b7b1c7dc7678b98f3328 91002 utils optional initramfs-tools_0.104_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/PU3gACgkQeW7Lc5tEHqhiigCgppHUxmZ5/fPynMyrvN2f3LgM
KPEAoIsA+bUqlyeP9sX0x+PK9LIWnYrs
=sjD3
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#652525: marked as done (Takes excessively long time to generate initramfs)
Next by Date: Bug#660297: marked as done (initramfs-tools: busybox's switch_root doesn't handle /proc or /sys moving)
Previous by thread: Bug#652525: marked as done (Takes excessively long time to generate initramfs)
Next by thread: Bug#660297: marked as done (initramfs-tools: busybox's switch_root doesn't handle /proc or /sys moving)
Index(es):
- Date
- Thread