Bug#417995: initramfs-tools: lets ordinary users read the root filesystem's raw block device

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#417995: initramfs-tools: lets ordinary users read the root filesystem's raw block device
From: Fabian Pietsch <fabian@canvon.dyndns.org>
Date: Fri, 06 Apr 2007 01:39:35 +0200
Message-id: <[🔎] 20070405233935.2925.63334.reportbug@zzz4.int.zzznowman.dyndns.org>
Reply-to: Fabian Pietsch <fabian@canvon.dyndns.org>, 417995@bugs.debian.org

Package: initramfs-tools
Version: 0.85f
Severity: critical
Tags: security patch
Justification: root security hole

A system that was booted from an initramfs created by initramfs-tools has
the following device node in the booted system's /dev:

| brw-r--r-- 1 root root 3, 7 Apr  6 00:38 /dev/root

This allows ordinary users to read the raw root filesystem, i.e.,
its block device. Bypassing the normal filesystem access restrictions
with this becomes easy through, e.g., /sbin/debugfs from e2fsprogs,
a "Priority: required" package. After reading /etc/shadow, passwords of
other accounts on the system may be cracked. Other authentication data
often is even unencrypted, like the boot loader password from
/etc/lilo.conf, which allows a local attacker to reboot with, e.g.,
init=/bin/bash, and take full control of the system.  </blah>

The device node is created prior to mounting the root filesystem, by a
script shared between initramfs generator and generated initramfs.
klibc-utils' mknod doesn't seem to support passing permissions on the
command line, so umask or chmod would be needed. For "BUSYBOX=y" in
/etc/initramfs-tools/initramfs.conf, after applying the following patch,
running "update-initramfs -u" and rebooting, the device node's permissions
are sane:

| brw------- 1 root root 3, 7 Apr  6 00:50 /dev/root

--- /usr/share/initramfs-tools/scripts/functions.orig
+++ /usr/share/initramfs-tools/scripts/functions
@@ -231,6 +231,7 @@
 		;;
 	esac
 
 	mknod /dev/root b ${major} ${minor}
+	chmod go-rw /dev/root
 	ROOT=/dev/root
 }


-- Package-specific info:
-- /proc/cmdline
auto BOOT_IMAGE=debian ro root=307 resume=/dev/hda4

-- /proc/filesystems
	cramfs
	ext3

-- lsmod
Module                  Size  Used by
ipv6                  226016  18 
button                  6672  0 
ac                      5188  0 
battery                 9636  0 
nfs                   202828  2 
lockd                  54344  2 nfs
nfs_acl                 3584  1 nfs
sunrpc                138812  4 nfs,lockd,nfs_acl
dm_snapshot            15552  0 
dm_mirror              19152  0 
dm_mod                 50232  2 dm_snapshot,dm_mirror
r128                   34816  0 
drm                    61332  1 r128
3c509                  11828  0 
snd_ens1371            23616  1 
tsdev                   7520  0 
gameport               14632  1 snd_ens1371
snd_ac97_codec         83104  1 snd_ens1371
snd_ac97_bus            2400  1 snd_ac97_codec
snd_pcm_oss            38368  0 
snd_mixer_oss          15200  2 snd_pcm_oss
snd_pcm                68676  3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
snd_seq_dummy           3844  0 
snd_seq_oss            28768  0 
snd_seq_midi            8192  0 
snd_rawmidi            22560  2 snd_ens1371,snd_seq_midi
floppy                 53156  0 
psmouse                35016  0 
parport_pc             32132  0 
parport                33256  1 parport_pc
snd_seq_midi_event      7008  2 snd_seq_oss,snd_seq_midi
snd_seq                45680  6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event
pcspkr                  3072  0 
rtc                    12372  0 
serio_raw               6660  0 
snd_timer              20996  2 snd_pcm,snd_seq
snd_seq_device          7820  5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq
bttv                  159732  0 
video_buf              23012  1 bttv
firmware_class          9600  1 bttv
ir_common              27780  1 bttv
compat_ioctl32          1472  1 bttv
i2c_algo_bit            8424  1 bttv
btcx_risc               4776  1 bttv
tveeprom               13840  1 bttv
videodev               21120  1 bttv
v4l1_compat            12036  1 videodev
v4l2_common            20448  2 bttv,videodev
snd                    47012  10 snd_ens1371,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device
soundcore               9248  2 snd
i2c_piix4               8140  0 
snd_page_alloc          9640  1 snd_pcm
i2c_core               19680  4 bttv,i2c_algo_bit,tveeprom,i2c_piix4
shpchp                 33024  0 
intel_agp              21148  1 
pci_hotplug            28704  1 shpchp
agpgart                29896  2 drm,intel_agp
evdev                   9088  0 
ext3                  119240  2 
jbd                    52456  1 ext3
mbcache                 8356  1 ext3
ide_generic             1408  0 [permanent]
ide_cd                 36064  0 
cdrom                  32544  1 ide_cd
ide_disk               14848  4 
piix                    9444  0 [permanent]
sis900                 21760  0 
3c59x                  40360  0 
mii                     5344  2 sis900,3c59x
generic                 5476  0 [permanent]
uhci_hcd               21164  0 
usbcore               112644  2 uhci_hcd
ide_core              110504  5 ide_generic,ide_cd,ide_disk,piix,generic
thermal                13608  0 
processor              28840  1 thermal
fan                     4804  0 

-- kernel-img.conf
# Kernel Image management overrides
# See kernel-img.conf(5) for details
do_symlinks = Yes
do_initrd = Yes


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages initramfs-tools depends on:
ii  busybox-cvs-static            20040623-1 Standalone rescue shell with tons 
ii  cpio                          2.6-17     GNU cpio -- a program to manage ar
ii  klibc-utils                   1.4.34-1   small statically-linked utilities 
ii  module-init-tools             3.3-pre4-2 tools for managing Linux kernel mo
ii  udev                          0.105-4    /dev/ and hotplug management daemo

initramfs-tools recommends no packages.

-- no debconf information

--- /usr/share/initramfs-tools/scripts/functions.orig	2006-08-19 16:06:20.000000000 +0200
+++ /usr/share/initramfs-tools/scripts/functions	2007-04-06 00:43:35.000000000 +0200
@@ -231,6 +231,7 @@
 		;;
 	esac
 
 	mknod /dev/root b ${major} ${minor}
+	chmod go-rw /dev/root
 	ROOT=/dev/root
 }

Reply to:

Prev by Date: Re: Bug#336153: Bug 336153 must be fixed ASAP - filesystem corruption IS critical!
Next by Date: blender: 64-bit problem, #417889 and blender/2.42a-7
Previous by thread: Re: Bug#336153: Bug 336153 must be fixed ASAP - filesystem corruption IS critical!
Next by thread: please approve abook 0.5.6-3
Index(es):
- Date
- Thread