Your message dated Fri, 06 Apr 2007 07:47:02 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#417995: fixed in initramfs-tools 0.85g has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: initramfs-tools Version: 0.85f Severity: critical Tags: security patch Justification: root security hole A system that was booted from an initramfs created by initramfs-tools has the following device node in the booted system's /dev: | brw-r--r-- 1 root root 3, 7 Apr 6 00:38 /dev/root This allows ordinary users to read the raw root filesystem, i.e., its block device. Bypassing the normal filesystem access restrictions with this becomes easy through, e.g., /sbin/debugfs from e2fsprogs, a "Priority: required" package. After reading /etc/shadow, passwords of other accounts on the system may be cracked. Other authentication data often is even unencrypted, like the boot loader password from /etc/lilo.conf, which allows a local attacker to reboot with, e.g., init=/bin/bash, and take full control of the system. </blah> The device node is created prior to mounting the root filesystem, by a script shared between initramfs generator and generated initramfs. klibc-utils' mknod doesn't seem to support passing permissions on the command line, so umask or chmod would be needed. For "BUSYBOX=y" in /etc/initramfs-tools/initramfs.conf, after applying the following patch, running "update-initramfs -u" and rebooting, the device node's permissions are sane: | brw------- 1 root root 3, 7 Apr 6 00:50 /dev/root --- /usr/share/initramfs-tools/scripts/functions.orig +++ /usr/share/initramfs-tools/scripts/functions @@ -231,6 +231,7 @@ ;; esac mknod /dev/root b ${major} ${minor} + chmod go-rw /dev/root ROOT=/dev/root } -- Package-specific info: -- /proc/cmdline auto BOOT_IMAGE=debian ro root=307 resume=/dev/hda4 -- /proc/filesystems cramfs ext3 -- lsmod Module Size Used by ipv6 226016 18 button 6672 0 ac 5188 0 battery 9636 0 nfs 202828 2 lockd 54344 2 nfs nfs_acl 3584 1 nfs sunrpc 138812 4 nfs,lockd,nfs_acl dm_snapshot 15552 0 dm_mirror 19152 0 dm_mod 50232 2 dm_snapshot,dm_mirror r128 34816 0 drm 61332 1 r128 3c509 11828 0 snd_ens1371 23616 1 tsdev 7520 0 gameport 14632 1 snd_ens1371 snd_ac97_codec 83104 1 snd_ens1371 snd_ac97_bus 2400 1 snd_ac97_codec snd_pcm_oss 38368 0 snd_mixer_oss 15200 2 snd_pcm_oss snd_pcm 68676 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss snd_seq_dummy 3844 0 snd_seq_oss 28768 0 snd_seq_midi 8192 0 snd_rawmidi 22560 2 snd_ens1371,snd_seq_midi floppy 53156 0 psmouse 35016 0 parport_pc 32132 0 parport 33256 1 parport_pc snd_seq_midi_event 7008 2 snd_seq_oss,snd_seq_midi snd_seq 45680 6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event pcspkr 3072 0 rtc 12372 0 serio_raw 6660 0 snd_timer 20996 2 snd_pcm,snd_seq snd_seq_device 7820 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq bttv 159732 0 video_buf 23012 1 bttv firmware_class 9600 1 bttv ir_common 27780 1 bttv compat_ioctl32 1472 1 bttv i2c_algo_bit 8424 1 bttv btcx_risc 4776 1 bttv tveeprom 13840 1 bttv videodev 21120 1 bttv v4l1_compat 12036 1 videodev v4l2_common 20448 2 bttv,videodev snd 47012 10 snd_ens1371,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device soundcore 9248 2 snd i2c_piix4 8140 0 snd_page_alloc 9640 1 snd_pcm i2c_core 19680 4 bttv,i2c_algo_bit,tveeprom,i2c_piix4 shpchp 33024 0 intel_agp 21148 1 pci_hotplug 28704 1 shpchp agpgart 29896 2 drm,intel_agp evdev 9088 0 ext3 119240 2 jbd 52456 1 ext3 mbcache 8356 1 ext3 ide_generic 1408 0 [permanent] ide_cd 36064 0 cdrom 32544 1 ide_cd ide_disk 14848 4 piix 9444 0 [permanent] sis900 21760 0 3c59x 40360 0 mii 5344 2 sis900,3c59x generic 5476 0 [permanent] uhci_hcd 21164 0 usbcore 112644 2 uhci_hcd ide_core 110504 5 ide_generic,ide_cd,ide_disk,piix,generic thermal 13608 0 processor 28840 1 thermal fan 4804 0 -- kernel-img.conf # Kernel Image management overrides # See kernel-img.conf(5) for details do_symlinks = Yes do_initrd = Yes -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Versions of packages initramfs-tools depends on: ii busybox-cvs-static 20040623-1 Standalone rescue shell with tons ii cpio 2.6-17 GNU cpio -- a program to manage ar ii klibc-utils 1.4.34-1 small statically-linked utilities ii module-init-tools 3.3-pre4-2 tools for managing Linux kernel mo ii udev 0.105-4 /dev/ and hotplug management daemo initramfs-tools recommends no packages. -- no debconf information--- /usr/share/initramfs-tools/scripts/functions.orig 2006-08-19 16:06:20.000000000 +0200 +++ /usr/share/initramfs-tools/scripts/functions 2007-04-06 00:43:35.000000000 +0200 @@ -231,6 +231,7 @@ ;; esac mknod /dev/root b ${major} ${minor} + chmod go-rw /dev/root ROOT=/dev/root }
--- End Message ---
--- Begin Message ---Source: initramfs-tools Source-Version: 0.85g We believe that the bug you reported is fixed in the latest version of initramfs-tools, which is due to be installed in the Debian FTP archive: initramfs-tools_0.85g.dsc to pool/main/i/initramfs-tools/initramfs-tools_0.85g.dsc initramfs-tools_0.85g.tar.gz to pool/main/i/initramfs-tools/initramfs-tools_0.85g.tar.gz initramfs-tools_0.85g_all.deb to pool/main/i/initramfs-tools/initramfs-tools_0.85g_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. maximilian attems <[EMAIL PROTECTED]> (supplier of updated initramfs-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 6 Apr 2007 09:19:13 +0200 Source: initramfs-tools Binary: initramfs-tools Architecture: source all Version: 0.85g Distribution: unstable Urgency: high Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Changed-By: maximilian attems <[EMAIL PROTECTED]> Description: initramfs-tools - tools for generating an initramfs Closes: 417995 Changes: initramfs-tools (0.85g) unstable; urgency=high . * SECURITY scripts/functions: Set permission of created root dev in parse_numeric() to 600. This bug only affects lilo boots. Thanks Fabian Pietsch <[EMAIL PROTECTED]> and Goswin von Brederlow <[EMAIL PROTECTED]> for patch input. (closes: 417995) . * debian/control: Change Uploaders email. Files: 8eb3dfb6409c309f1ab82d4b18cfcfe3 621 utils optional initramfs-tools_0.85g.dsc f890e42cd4aa92f11bb2e01602d0ee34 56936 utils optional initramfs-tools_0.85g.tar.gz bbb6620b5d6c629aeb501bdad20c37c4 63290 utils optional initramfs-tools_0.85g_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGFfUheW7Lc5tEHqgRAltiAJ9e9VLSkdUAZvH/BMr7Qt8i7yjWFQCgnOQs K8u30fokWDXJFoiE/3vfWAQ= =6Iah -----END PGP SIGNATURE-----
--- End Message ---
