I reviewed dbconfig-common 2.0.25 as checked into questing. This shouldn't
be considered a full audit but rather a quick gauge of maintainability. The
package was already included in main on older releases but never went
through a security review.
dbconfig-common is a helper package which provides other debian packages
with a simpler way of managing databases.
- CVE History
- There was one security issue in the past.
- https://security-tracker.debian.org/tracker/TEMP-0805638-5AC56F
- The security issue was not assigned a CVE. This could be problematic
for future security issues as they become harder to track if CVEs are
not assigned to them.
- The vulnerability itself was related to a database backup of psql
being created before the `umask` call, making the database world
readable.
- Build-Depends
- Normal build depends, mostly doc related.
- pre/post inst/rm scripts
- Has a preinst script.
- Creates a dbc.log file with permissions 600.
- Has a postinst script.
- This seems to set two configuration options from db_get
- "remember-admin-pass" with a value of true or false, whether admin
passwords should be cached in debconf
- If this is set to true, it seems like the package has a
dbc_postinst_cleanup function that cleans up the credentials
after install (postinst) in ./dpkg/common, which runs in
./dpkg/postinst.
- "remote_questions_default" with a value of true or false, whether
to raise the priority of questions raised by debconf for remote
servers.
- The default value for both of these options seems to be false with
a lower priority. The user would be able to set a different value
with debconf (dpkg-reconfigure).
- Has a postrm script.
- This seems to purge configuration files/logs/etc.
- Has many other different pre/post inst/rm scripts in the ./dpkg
directory of the package's source. These seem to be the helper scripts
used by other packages to simplify their database setup.
- preinst
- Does nothing. It seems like in order for dbconfig-common package to
do something it needs pre-dependencies. Most things seem to happen
in the postinst script.
- postinst
- This seems to configure the database for the package implementing
dbconfig-common.
- As part of the reconfiguration, the package dumps the database
of the other package (if it exists) into a temporary file as a
backup, empties the database, creates a new one, and then
repopulates it.
- When the temporary database file is created, it is created with
600 permissions (as this is run with `sudo dpkg-reconfigure` this
would be ran by root, making it not world readable).
- This also happens during the upgrade process
(`sudo apt upgrade` or `sudo do-release-upgrade`), and in the
prerm script for the other package.
- Seems to be fine.
- prerm
- This seems to be a helper script with removing the database during
package removal. If the user chooses to, the database will be
purged, but not before being backed up into a temporary file with
600 permissions (same logic as postinst script).
- postrm
- Removes the configuration files and unregisters the helper
templates from the other package provided by dbconfig-common.
- Each of these has a separate version for each database type supported
(sqlite3, mysql, psql). However, the only thing that it does is set
the `dbc_hardcoded_dbtype` variable to the respective database type
before sourcing the general pre/post inst/rm script.
- The scripts also use the ./dpkg/common script to source some
variables and functions
- One function, called dbc_write_package_config, writes the database
password to configuration as part of the setup for a database. This
is done first in a temporary file with `mktemp` command, and
afterwards gets passed to the `ucf` command to fill the
configuration. The `mktemp` command creates files with 600
permissions, and as the process is executed as root from the `apt`
installation command, this is not world readable, despite the
temporary file names being somewhat predictable
(`dbconfig-package-config.XXXXXX`). The file then gets passed as
configuration with the same 600 permissions, so it seems that at no
point the password is world readable, with only root having access.
- The password is stored in cleartext, even if the file ultimately
has 600 permissions. This is likely so that the user does not
have to input the password every time for accessing the database.
- Overall there don't seem to be any issues with the script.
- All of these seem to be opt-in by the user. If the user has
`dbconfig-no-thanks` installed then they are not given any assistance
with their database configuration from the package.
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- ./usr/sbin/dbconfig-generate-include
- Not a binary but a shell script.
- Seems to generate a configuration file based on the input language
(php/perl/cpp/etc)
- ./usr/sbin/dbconfig-load-include
- Not a binary but a shell script.
- Seems to load a configuration file based on the input language.
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Does not have build-time unit tests. Has autopkgtests, which seem to be
rather extensive.
- cron jobs
- None
- Build logs
- There don't seem to be any issues. Many lintian errors/warnings, but
these are for example scripts and docs.
- Processes spawned
- None
- Memory management
- None
- File IO
- Seems to be managed fine as described above, with proper permissions.
- Logging
- Logging seems fine. The package logs through printf functions and also
stores the logs in a file (`/var/log/dbconfig-common/dbc.log`). The log
file is owned by root with 600 permissions as well.
- Environment variable usage
- None
- Use of privileged functions
- There are a couple of chown and chmod calls in the
./dbconfig-generate-include file which allows the user running the
program to set the permissions for the final generated file. The final
output file is first created with `mktemp`.
- Other chown and chmod calls exist in the sqlite and psql specific
configuration scripts. They seem to happen right after creating a new
database or configuration files. File creation in this case is either
the pattern of `umask` > `touch` > `chown` or `touch` > `chmod`. The
umask value is 0066, with chmod being 600.
- Use of cryptography / random number sources etc
- None
- Use of temp files
- Creates temp files with `mktemp` as mentioned previously. The
management of temporary files seems to be fine.
- As mentioned previously in the pre/post inst/rm section, some of the
operations involve backing up the database to a temporary file. The
backups don't seem to be cleared, and when backing up large databases
care has to be put in ensuring that the disk has enough storage in
order to store the database backup. This does not seem to be managed
by the application, and therefore in some cases manual intervention is
required in, for example, clearing out the database backups from /tmp.
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant shellcheck results
- Most results are in test and example files, without any significant
findings in other parts of the code. No issues here.
- Any significant Semgrep results
- None
Overall, the codebase looks clean and maintainable. The code is properly
commented, albeit lacking some comments in the internal functions, but
it is easy to read and to understand. There are some aspects that could
potentially be problematic, such as storing database passwords in
plaintext, but these passwords would need to be stored in plaintext to be
accessible by applications for storage/configuration. The package seems to
utilize permissions properly, making extensive use of `mktemp`, with
proper restrictive permissions by default.
The only potential problem is the security updates, as the only security
update did not receive a CVE. This could make it harder to track, and
should be considered in case other security issues are discovered.
Security team ACK for promoting dbconfig-common to main.
** Changed in: dbconfig-common (Ubuntu)
Status: New => In Progress
** Changed in: dbconfig-common (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115647
Title:
[MIR] dbconfig-common
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbconfig-common/+bug/2115647/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
