Your message dated Fri, 22 Jun 2007 22:17:06 +0000 with message-id <E1I1rRC-0000qw-6o@ries.debian.org> and subject line Bug#269661: fixed in jack-audio-connection-kit 0.103.0-6 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jackd: Totally flawed capability handling
- From: Martin Pitt <martin@piware.de>
- Date: Thu, 2 Sep 2004 20:42:13 +0200
- Message-id: <20040902184213.GA31847@box79162.elkhouse.de>
Package: jackd Version: 0.98.1-5 Severity: normal Tags: patch Hi! While doing a security audit of suid programs, I stumbled over jackstart; its handling and understanding of capabilities is horrible (needs a kernel patch and does dangerous things), so I prepared an updated package which sanitizes this. Now it is possible to get realtime scheduling on a standard kernel and the implementation is much safer. Here is the security report that I prepared for my Company: ---------------------- snip ----------------------- Current implementation: 1. jackstart is suid root and executable for any user in the group 'audio', thus at start it has full root privileges 2. check whether jackstart has all capabilities necessary for jackd (CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_IPC_LOCK) plus CAP_SETPCAP (!). If one capability is missing, program exits with an error message. 3. does some checks on the binary to verify correct permissions and owner 4. fork 5. child: drop uid/gid to calling user, execute jackd 6. parent: give above capabilities to the child process (which is jackd now), including CAP_SETPCAP (jackd needs this to give capabilities also to its forked children) Analysis: This approach is totally broken. First, the kernel is usually compiled not to give CAP_SETPCAP to _any_ process (which is very sensible), so jackstart fails at step 2 and thus is useless. If the kernel actually gave CAP_SETPCAP to processes, above approach would be highly dangerous since CAP_SETPCAP is given to the jackd processes, which could be exploited for all sorts of bad things. Conclusion: The current version of jackstart is useless or unsafe and thus should be dropped completely. Solution: jackd itself should be suid root, do the necessary privileged operations (allocating locked memory (IPC_LOCK), set process priority (SYS_NICE), and whatever it needs SYS_RESOURCE for) and then drop back to the calling user without keeping _any_ capabilities. It is not immediately clear why jackd needs SYS_RESOURCE. None of the function calls mentioned in the relevant capabilities(7) manpage occur anywhere in the code. jackd runs fine (of course without realtime scheduling) as normal unprivileged user, but a person familiar with jack usage should comment this. ---------------------- snip ----------------------- Here is the changelog of the updated package: jack-audio-connection-kit (0.98.1-3ubuntu2) warty; urgency=low * added patch 08_fix_capabilities.diff: The original implementation relies on CAP_SETPCAP which is normally not present in the kernel and _highly_ dangerous. This patch does not need the insane jackstart any more; jackd is started as suid root directly, keep the necessary capabilities and drop its uid to the calling user. * debian/rules: delete original jackstart, symlink it to jackd, install jackd as root:audio 4755 * debian/jackd.README.Debian: updated to describe the new semantics * debian/control: fixed multi-line Build-Depends field The patch [1] is minimally intrusive, it leaves a lot of code that is actually not required any more. I suggest to forward this to upstream, they should completely overhaul this stuff. The patch is against our Company's current version, but it also applies to the current sid version (it just fails on the Debian changelog). Thanks for considering and have a nice day! Martin [1] http://fixit.for.debian.no-name-yet.com/patches/jack-audio-connection-kit.fix-capabilities.diff -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8.1-amd Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro Versions of packages jackd depends on: ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libjack0.80.0-0 0.98.1-5 JACK Audio Connection Kit (librari ii libreadline4 4.3-11 GNU readline and history libraries ii libsndfile1 1.0.10-1 Library for reading/writing audio -- no debconf information -- Martin Pitt Debian GNU/Linux Developer martin@piware.de mpitt@debian.org http://www.piware.de http://www.debian.orgAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 269661-close@bugs.debian.org
- Subject: Bug#269661: fixed in jack-audio-connection-kit 0.103.0-6
- From: Free Ekanayaka <freee@debian.org>
- Date: Fri, 22 Jun 2007 22:17:06 +0000
- Message-id: <E1I1rRC-0000qw-6o@ries.debian.org>
Source: jack-audio-connection-kit Source-Version: 0.103.0-6 We believe that the bug you reported is fixed in the latest version of jack-audio-connection-kit, which is due to be installed in the Debian FTP archive: jack-audio-connection-kit_0.103.0-6.diff.gz to pool/main/j/jack-audio-connection-kit/jack-audio-connection-kit_0.103.0-6.diff.gz jack-audio-connection-kit_0.103.0-6.dsc to pool/main/j/jack-audio-connection-kit/jack-audio-connection-kit_0.103.0-6.dsc jackd_0.103.0-6_amd64.deb to pool/main/j/jack-audio-connection-kit/jackd_0.103.0-6_amd64.deb libjack-dev_0.103.0-6_amd64.deb to pool/main/j/jack-audio-connection-kit/libjack-dev_0.103.0-6_amd64.deb libjack0.100.0-0_0.103.0-6_all.deb to pool/main/j/jack-audio-connection-kit/libjack0.100.0-0_0.103.0-6_all.deb libjack0.100.0-dev_0.103.0-6_all.deb to pool/main/j/jack-audio-connection-kit/libjack0.100.0-dev_0.103.0-6_all.deb libjack0_0.103.0-6_amd64.deb to pool/main/j/jack-audio-connection-kit/libjack0_0.103.0-6_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 269661@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Free Ekanayaka <freee@debian.org> (supplier of updated jack-audio-connection-kit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 28 May 2007 14:13:09 +0200 Source: jack-audio-connection-kit Binary: libjack0 libjack0.100.0-dev libjack-dev libjack0.100.0-0 jackd Architecture: source amd64 all Version: 0.103.0-6 Distribution: unstable Urgency: low Maintainer: Debian Multimedia Team <debian-multimedia@lists.debian.org> Changed-By: Free Ekanayaka <freee@debian.org> Description: jackd - JACK Audio Connection Kit (server and example clients) libjack-dev - JACK Audio Connection Kit (development files) libjack0 - JACK Audio Connection Kit (libraries) libjack0.100.0-0 - JACK Audio Connection Kit (libraries) libjack0.100.0-dev - JACK Audio Connection Kit (libraries) Closes: 269661 425180 425265 426144 Changes: jack-audio-connection-kit (0.103.0-6) unstable; urgency=low . * debian/jackd.README.Debian: - added note about using PAM to jack grant realtime privileges (Closes: #425180, #269661) - added note about using the realtime-preempt patch * debian/control: - added libpam-modules to Recommends: - moved qjackctl from Suggests: to Recommends: * debian/rules: - pass --enable-static=yes to ./configure (Closes: #425265) - don't enable -m3dnow and -msse on i386 (Closes: #426144) * rebuilt against flac 1.1.4 (Closes :#426648) Files: 6a9eb8f2f09f606685eeba5e37bcc075 1527 sound optional jack-audio-connection-kit_0.103.0-6.dsc 2c0387419a2bccf6d14be31209346645 28512 sound optional jack-audio-connection-kit_0.103.0-6.diff.gz ff73d4aa763080c1bc8c781f0f9793d7 12614 libs optional libjack0.100.0-0_0.103.0-6_all.deb ba3e504362553baad865801bdb25db45 12622 libs optional libjack0.100.0-dev_0.103.0-6_all.deb da94caf1e53a2ef2ae2ffb70b613ab97 101036 sound optional jackd_0.103.0-6_amd64.deb 5db5bf156bebd3727ccceb309d546f1a 95374 libs optional libjack0_0.103.0-6_amd64.deb 299b594e073dfb15598a3f64037d541a 170070 libdevel optional libjack-dev_0.103.0-6_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGfEescanJGlcVnlkRAuUHAJ0eYinKdXH8O8rNJqOqNFEgavFMrwCdEvKB BkCbKfvn6mXK7NhmSeCLbMw= =6AsW -----END PGP SIGNATURE-----
--- End Message ---