Bug#269661: marked as done (jackstart depends on a kernel with working CAP_SETCAP)

To: Free Ekanayaka <freee@debian.org>
Subject: Bug#269661: marked as done (jackstart depends on a kernel with working CAP_SETCAP)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 22 Jun 2007 22:21:03 +0000
Message-id: <[🔎] handler.269661.D269661.118255075121827.ackdone@bugs.debian.org>
References: <E1I1rRC-0000qw-6o@ries.debian.org> <20040902184213.GA31847@box79162.elkhouse.de>

Your message dated Fri, 22 Jun 2007 22:17:06 +0000
with message-id <E1I1rRC-0000qw-6o@ries.debian.org>
and subject line Bug#269661: fixed in jack-audio-connection-kit 0.103.0-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jackd: Totally flawed capability handling
From: Martin Pitt <martin@piware.de>
Date: Thu, 2 Sep 2004 20:42:13 +0200
Message-id: <20040902184213.GA31847@box79162.elkhouse.de>

Package: jackd
Version: 0.98.1-5
Severity: normal
Tags: patch

Hi!

While doing a security audit of suid programs, I stumbled over
jackstart; its handling and understanding of capabilities is horrible
(needs a kernel patch and does dangerous things), so I prepared an
updated package which sanitizes this. Now it is possible to get
realtime scheduling on a standard kernel and the implementation is
much safer.

Here is the security report that I prepared for my Company:

---------------------- snip -----------------------
Current implementation:

1. jackstart is suid root and executable for any user in the group 'audio',
thus at start it has full root privileges
2. check whether jackstart has all capabilities necessary for jackd
(CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_IPC_LOCK) plus CAP_SETPCAP (!). If one
capability is missing, program exits with an error message.
3. does some checks on the binary to verify correct permissions and owner
4. fork
5. child: drop uid/gid to calling user, execute jackd
6. parent: give above capabilities to the child process (which is jackd
now), including CAP_SETPCAP (jackd needs this to give capabilities also to its
forked children)

Analysis:

This approach is totally broken. First, the kernel is usually compiled not to
give CAP_SETPCAP to _any_ process (which is very sensible), so jackstart fails
at step 2 and thus is useless.

If the kernel actually gave CAP_SETPCAP to processes, above approach would be
highly dangerous since CAP_SETPCAP is given to the jackd processes, which could
be exploited for all sorts of bad things.

Conclusion: The current version of jackstart is useless or unsafe and thus
should be dropped completely.

Solution:

jackd itself should be suid root, do the necessary privileged operations
(allocating locked memory (IPC_LOCK), set process priority (SYS_NICE), and
whatever it needs SYS_RESOURCE for) and then drop back to the calling user
without keeping _any_ capabilities.

It is not immediately clear why jackd needs SYS_RESOURCE. None of the function
calls mentioned in the relevant capabilities(7) manpage occur anywhere in the
code. jackd runs fine (of course without realtime scheduling) as normal
unprivileged user, but a person familiar with jack usage should comment this.
---------------------- snip -----------------------

Here is the changelog of the updated package:

jack-audio-connection-kit (0.98.1-3ubuntu2) warty; urgency=low

* added patch 08_fix_capabilities.diff: The original implementation relies
on CAP_SETPCAP which is normally not present in the kernel and _highly_
dangerous. This patch does not need the insane jackstart any more; jackd
is started as suid root directly, keep the necessary capabilities and drop
its uid to the calling user.
* debian/rules: delete original jackstart, symlink it to jackd, install
jackd as root:audio 4755
* debian/jackd.README.Debian: updated to describe the new semantics
* debian/control: fixed multi-line Build-Depends field

The patch [1] is minimally intrusive, it leaves a lot of code that is
actually not required any more. I suggest to forward this to upstream,
they should completely overhaul this stuff.

The patch is against our Company's current version, but it also applies
to the current sid version (it just fails on the Debian changelog).

Thanks for considering and have a nice day!

Martin

[1] http://fixit.for.debian.no-name-yet.com/patches/jack-audio-connection-kit.fix-capabilities.diff

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-amd
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages jackd depends on:
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libjack0.80.0-0 0.98.1-5 JACK Audio Connection Kit (librari
ii libreadline4 4.3-11 GNU readline and history libraries
ii libsndfile1 1.0.10-1 Library for reading/writing audio

-- no debconf information

--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 269661-close@bugs.debian.org
Subject: Bug#269661: fixed in jack-audio-connection-kit 0.103.0-6
From: Free Ekanayaka <freee@debian.org>
Date: Fri, 22 Jun 2007 22:17:06 +0000
Message-id: <E1I1rRC-0000qw-6o@ries.debian.org>

Source: jack-audio-connection-kit
Source-Version: 0.103.0-6

We believe that the bug you reported is fixed in the latest version of
jack-audio-connection-kit, which is due to be installed in the Debian FTP archive:

jack-audio-connection-kit_0.103.0-6.diff.gz
  to pool/main/j/jack-audio-connection-kit/jack-audio-connection-kit_0.103.0-6.diff.gz
jack-audio-connection-kit_0.103.0-6.dsc
  to pool/main/j/jack-audio-connection-kit/jack-audio-connection-kit_0.103.0-6.dsc
jackd_0.103.0-6_amd64.deb
  to pool/main/j/jack-audio-connection-kit/jackd_0.103.0-6_amd64.deb
libjack-dev_0.103.0-6_amd64.deb
  to pool/main/j/jack-audio-connection-kit/libjack-dev_0.103.0-6_amd64.deb
libjack0.100.0-0_0.103.0-6_all.deb
  to pool/main/j/jack-audio-connection-kit/libjack0.100.0-0_0.103.0-6_all.deb
libjack0.100.0-dev_0.103.0-6_all.deb
  to pool/main/j/jack-audio-connection-kit/libjack0.100.0-dev_0.103.0-6_all.deb
libjack0_0.103.0-6_amd64.deb
  to pool/main/j/jack-audio-connection-kit/libjack0_0.103.0-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 269661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Free Ekanayaka <freee@debian.org> (supplier of updated jack-audio-connection-kit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 28 May 2007 14:13:09 +0200
Source: jack-audio-connection-kit
Binary: libjack0 libjack0.100.0-dev libjack-dev libjack0.100.0-0 jackd
Architecture: source amd64 all
Version: 0.103.0-6
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Team <debian-multimedia@lists.debian.org>
Changed-By: Free Ekanayaka <freee@debian.org>
Description: 
 jackd      - JACK Audio Connection Kit (server and example clients)
 libjack-dev - JACK Audio Connection Kit (development files)
 libjack0   - JACK Audio Connection Kit (libraries)
 libjack0.100.0-0 - JACK Audio Connection Kit (libraries)
 libjack0.100.0-dev - JACK Audio Connection Kit (libraries)
Closes: 269661 425180 425265 426144
Changes: 
 jack-audio-connection-kit (0.103.0-6) unstable; urgency=low
 .
   * debian/jackd.README.Debian:
      - added note about using PAM to jack grant realtime
        privileges (Closes: #425180, #269661)
      - added note about using the realtime-preempt patch
   * debian/control:
      - added libpam-modules to Recommends:
      - moved qjackctl from Suggests: to Recommends:
   * debian/rules:
      - pass --enable-static=yes to ./configure (Closes: #425265)
      - don't enable -m3dnow and -msse on i386 (Closes: #426144)
   * rebuilt against flac 1.1.4 (Closes :#426648)
Files: 
 6a9eb8f2f09f606685eeba5e37bcc075 1527 sound optional jack-audio-connection-kit_0.103.0-6.dsc
 2c0387419a2bccf6d14be31209346645 28512 sound optional jack-audio-connection-kit_0.103.0-6.diff.gz
 ff73d4aa763080c1bc8c781f0f9793d7 12614 libs optional libjack0.100.0-0_0.103.0-6_all.deb
 ba3e504362553baad865801bdb25db45 12622 libs optional libjack0.100.0-dev_0.103.0-6_all.deb
 da94caf1e53a2ef2ae2ffb70b613ab97 101036 sound optional jackd_0.103.0-6_amd64.deb
 5db5bf156bebd3727ccceb309d546f1a 95374 libs optional libjack0_0.103.0-6_amd64.deb
 299b594e073dfb15598a3f64037d541a 170070 libdevel optional libjack-dev_0.103.0-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGfEescanJGlcVnlkRAuUHAJ0eYinKdXH8O8rNJqOqNFEgavFMrwCdEvKB
BkCbKfvn6mXK7NhmSeCLbMw=
=6AsW
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#425265: marked as done (No static library in libjack-dev)
Next by Date: Bug#422076: marked as done (Can not start jackd, fails with Illegal instruction)
Previous by thread: Bug#425265: marked as done (No static library in libjack-dev)
Next by thread: Bug#422076: marked as done (Can not start jackd, fails with Illegal instruction)
Index(es):
- Date
- Thread