Bug#548909: marked as done (xen-tools: xen-create-image creates world readable disk image files)

Sat, 20 Nov 2010 05:57:34 -0800 

Your message dated Sat, 20 Nov 2010 13:54:58 +0000
with message-id <e1pjnu6-0003gp...@franck.debian.org>
and subject line Bug#548909: fixed in xen-tools 3.9-4+lenny1
has caused the Debian Bug report #548909,
regarding xen-tools: xen-create-image creates world readable disk image files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
548909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: xen-tools
Version: 3.9-4
Severity: grave
Tags: security
Justification: user security hole

I'm tagging this security, though common best practices would suggest that 
access
to the Dom0 should be severely restricted to begin with.

When xen-create-image is used to create a file based DomU, the disk image files
will have world readable permissions on a typical system with default umask
settings.  This means that all accounts on the Dom0 will have full access to 
the data
on the DomU.  The fix is to simply to alter createLoopbackImages() to chmod 
0600 the
image files after they are created with DD and before the filesystem is 
initialized
or to simply to adjust the umask before running dd.

This problem exists in both the stable 3.9 version of xen-tools and the 
unstable 4.1
version.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xen-tools depends on:
ii  debootstrap              1.0.10lenny1    Bootstrap a basic Debian system
ii  libconfig-inifiles-perl  2.39-5          Read .ini-style configuration file
ii  libtext-template-perl    1.44-1.2        Text::Template perl module
ii  perl-modules             5.10.0-19lenny2 Core Perl modules

Versions of packages xen-tools recommends:
ii  libexpect-perl             1.20-1        Expect.pm - Perl Expect interface
ii  reiserfsprogs              1:3.6.19-6    User-level tools for ReiserFS file
ii  rinse                      1.3-2         RPM installation environment
ii  xen-hypervisor-3.2-1-amd64 3.2.1-2.jd1   The Xen Hypervisor on AMD64
ii  xen-shell                  1.8-3         Console based Xen administration u
ii  xfsprogs                   2.9.8-1lenny1 Utilities for managing the XFS fil

xen-tools suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: xen-tools
Source-Version: 3.9-4+lenny1

We believe that the bug you reported is fixed in the latest version of
xen-tools, which is due to be installed in the Debian FTP archive:

xen-tools_3.9-4+lenny1.diff.gz
  to main/x/xen-tools/xen-tools_3.9-4+lenny1.diff.gz
xen-tools_3.9-4+lenny1.dsc
  to main/x/xen-tools/xen-tools_3.9-4+lenny1.dsc
xen-tools_3.9-4+lenny1_all.deb
  to main/x/xen-tools/xen-tools_3.9-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <a...@debian.org> (supplier of updated xen-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 19 Nov 2010 20:26:43 +0100
Source: xen-tools
Binary: xen-tools
Architecture: source all
Version: 3.9-4+lenny1
Distribution: stable
Urgency: low
Maintainer: Roland Stigge <sti...@antcom.de>
Changed-By: Axel Beckert <a...@debian.org>
Description: 
 xen-tools  - Tools to manage Debian XEN virtual servers
Closes: 548909
Changes: 
 xen-tools (3.9-4+lenny1) stable; urgency=low
 .
   * Set umask to 0077 before creating disk images (Closes: #548909)
     (Cherry-picked dfbf591 from master branch)
Checksums-Sha1: 
 c16b7de999d795a31d9b81cd93502f41896ab7c8 1140 xen-tools_3.9-4+lenny1.dsc
 8568164b5e529f54541419ddb3679549a4f8032e 11804 xen-tools_3.9-4+lenny1.diff.gz
 8fee5ba4a0e52b28b2e62dd99e961ea11a70ba11 178384 xen-tools_3.9-4+lenny1_all.deb
Checksums-Sha256: 
 9754e7d908ab83b23e019b23cdc7bd78f7d84289cdab66aa3f33b8ae7bee05df 1140 
xen-tools_3.9-4+lenny1.dsc
 dff163f70f7b557aed1d9433a54e97449ccffe8067d752bbd38a417632667fb2 11804 
xen-tools_3.9-4+lenny1.diff.gz
 792e3c300faca01b199fae17b168d0e662257a11d4459dc7a5b52d7b0c8a6bcb 178384 
xen-tools_3.9-4+lenny1_all.deb
Files: 
 2eecc5e59acb306b66d07781b1e0620a 1140 utils extra xen-tools_3.9-4+lenny1.dsc
 3a6a349753a49fbf2a4dd53fb1338c70 11804 utils extra 
xen-tools_3.9-4+lenny1.diff.gz
 eb229950e53efdab0ed0eedc53ce1912 178384 utils extra 
xen-tools_3.9-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkznAzQACgkQwJ4diZWTDt6QugCeM3WOtVszeIn6Vjq22EJvFO9d
FRUAn3EH5lVVZoLl+JHPWxEs0hG5zMUl
=fxgk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to