Bug#1002797: initramfs-tools: UMASK option doesn't catch all cases

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1002797: initramfs-tools: UMASK option doesn't catch all cases
From: Christoph Anton Mitterer <calestyo@scientia.org>
Date: Wed, 29 Dec 2021 00:36:05 +0100
Message-id: <[🔎] 164073456581.89970.3876313861656024593.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.org>, 1002797@bugs.debian.org

Package: initramfs-tools
Version: 0.140
Severity: normal
Tags: security


Hi.

AFAIU, the UMASK option is there for cases like e.g. when dm-crypt keys
are included in the initramfs.

I played a bit with it, and found that it already doesn't just affect the
final initramfs image, but also parts below /var/tmp/mkinitramfs_*/ .


With "parts" I mean:
- the top level temp dir (/var/tmp/mkinitramfs_*/) is still world-readable
- and even below that, only directories seem affected, while files included
  e.g. via copy_file are not.


So I think,the top level dir should be created with the UMASK as well, or
perhaps even generally with root ownership ...

That should also protect all files not added with initramfs-tools functions,
as well as files included with copy_file but at the root of the initramfs
(which is the top level temp dir... so no intermediate dir would get created
with a securing UMASK).


Thanks,
Chris.

Reply to:

Prev by Date: Bug#1002310: With correct (hopefully!) log...
Next by Date: Bug#1002310: With correct (hopefully!) log...
Previous by thread: Bug#1002711: linux-image-5.14.0-4-amd64: poll syscall does not work on some /proc files
Next by thread: Bug#1002825: fails to detect write cache on SATA disks
Index(es):
- Date
- Thread