genext2fs does not preserve file permissions in generated image
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
genext2fs (Debian) |
Fix Released
|
Unknown
|
|||
genext2fs (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #341173 http://
In Debian Bug tracker #341173, Mikko Rapeli (mikko-rapeli-vtt) wrote : genext2fs | #1 |
In Debian Bug tracker #341173, Joey Hess (joeyh) wrote : reassign 340981 to save-logs | #2 |
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 save-logs
In Debian Bug tracker #341173, Joey Hess (joeyh) wrote : reassign 340981 to cdebconf | #3 |
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 cdebconf
In Debian Bug tracker #341173, Joey Hess (joeyh) wrote : reassign 340981 to debian-installer | #4 |
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 debian-installer
In Debian Bug tracker #341173, Joey Hess (joeyh) wrote : Re: Bug#340981: debian-installer and world writable directories | #5 |
tag 340981 - sarge
clone 340981 -1
reassign -1 genext2fs
severity -1 serious
retitle -1 genext2fs does not preserve file permissions in generated image
merge 338262 338263 -1
reassign 340981 prebaseconfig
close 340981 1.10
Mikko Rapeli wrote:
> a) debian-installer root has very permissive directory permissions
> (ugo=rwx)
> b) prebaseconfig's 93save-install-log uses "cp -a" to copy
> /var/lib/cdebconf directory to /target/
>
> Part a) seems to have gotten some attention in Etch beta 1, but for
> reasons beyond my comprehension /var/lib/cdebconf among others is still
> world writable. I don't understand the functionality of d-i very well,
> but perhaps mkdir is used without a proper umask or -m 0775.
The permissions of the directory in cdebconf-udeb are ok, but those ok
permissions are corrupted by genext2fs during the initrd build process:
joey@dragon:
drwxr-xr-x 2 joey joey 4096 Nov 7 09:56 var/lib/cdebconf/
joey@dragon:
joey@dragon:
joey@dragon:
drwxrwxrwx 2 root root 1024 Dec 31 1969 /mnt/var/
In fact, every directory in this ext2 image is mode 777; every file is
mode 666 (or 777). That is a known genext2fs bug I see, with a recently
filed bug and a patch in the bts, but no other documentation of the
problem. Which could easily be construed as a security hole in its own
right since it leads directly to d-i's class of problem.
I haven't looked outside i386 to see if it affects other arches or not,
but it may well not affect some arches that use cramfs images and so on.
Or it might, if there are similar problems with the tools to generate
those images.
> Part b) could be fixed by using a stricter umask or plain cp instead of
> 'cp -a' in Sarge's 93save-install-log and Etch beta 1's 93save-debconf
> ( URL:
> http://
It was fixed in prebaseconfig 1.10, the current code just does:
cp /var/lib/
So etch beta 1 is not affected.
> The fact that a subdirectory within /var/log is world writable is a low
> risk security issue, since system logs may be DoS'ed by any user filling
> up the partition.
Surely any user could do the same with the logger command or a small
C program? There may be other theoretical exploit vectors beyond a DOS
though. debconf-
example.
If the security team wants to follow up on this for stable, it would be
easy to backport the fix. Releasing an advisory would require actually
putting the fixed package into stable (not security.d.o; d-i will not
find it there), as well as rebuilding all the CD images. Any advisory
about this should also include instructions for users who have already
installed (rm -rf /var/log/
fix ...
Debian Bug Importer (debzilla) wrote : | #6 |
Automatically imported from Debian bug report #341173 http://
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Sun, 27 Nov 2005 17:28:24 +0200
From: Mikko Rapeli <email address hidden>
To: <email address hidden>
CC: <email address hidden>
Subject: debian-installer and world writable directories
Package: debian-installer
Version: 20051026
Tags: security,sarge
debian-installer in Sarge leaves the directory
/var/log/
# ls -ld `locate debian-installer | grep cdebconf`
drwxrwxrwx 2 root root 4096 Sep 23 17:54
/var/log/
-rw-r--r-- 1 root root 49241 Sep 23 18:09
/var/log/
-rw-r--r-- 1 root root 3960367 Sep 23 18:09
/var/log/
This happens at least when debian-
install Sarge on my two hosts. The root of the problem seems to be two fold:
a) debian-installer root has very permissive directory permissions (ugo=rwx)
b) prebaseconfig's 93save-install-log uses "cp -a" to copy
/var/lib/cdebconf directory to /target/
Part a) seems to have gotten some attention in Etch beta 1, but for
reasons beyond my comprehension /var/lib/cdebconf among others is still
world writable. I don't understand the functionality of d-i very well,
but perhaps mkdir is used without a proper umask or -m 0775.
Part b) could be fixed by using a stricter umask or plain cp instead of
'cp -a' in Sarge's 93save-install-log and Etch beta 1's 93save-debconf
( URL:
http://
).
Unfortunately I'm unable get d-i compiled at the moment, so I'm not
shure which specific fix works for shure and wether Etch has the same
problem.
The fact that a subdirectory within /var/log is world writable is a low
risk security issue, since system logs may be DoS'ed by any user filling
up the partition. It also seems to be agains Debian policy 10.8 (
http://
I'm going to study d-i further, but perhaps you developers can already
fix this in the mean time. To me solving part a) is more natural to
Etch, since all d-i processes seem to run as root:root, so other don't
need any permissions on files or directories.
-Mikko
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Mon, 28 Nov 2005 12:04:26 +0200
From: Mikko Rapeli <email address hidden>
To: <email address hidden>
Subject: genext2fs
A newer version of genext2fs may preserve uid's, gid's and permissions
for files and directories so the ext2 initrd image wouldn't have o=rwx
any more.
http://
-Mikko
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Mon, 28 Nov 2005 16:25:54 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: reassign 340981 to save-logs
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 save-logs
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Mon, 28 Nov 2005 16:32:58 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: reassign 340981 to cdebconf
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 cdebconf
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Mon, 28 Nov 2005 17:04:20 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: reassign 340981 to debian-installer
# Automatically generated email from bts, devscripts version 2.9.8
reassign 340981 debian-installer
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Mon, 28 Nov 2005 17:40:53 -0500
From: Joey Hess <email address hidden>
To: Mikko Rapeli <email address hidden>, <email address hidden>,
<email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#340981: debian-installer and world writable directories
--4Epv4kl9IRBfg3rk
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 340981 - sarge
clone 340981 -1
reassign -1 genext2fs
severity -1 serious
retitle -1 genext2fs does not preserve file permissions in generated image
merge 338262 338263 -1
reassign 340981 prebaseconfig
close 340981 1.10
Mikko Rapeli wrote:
> a) debian-installer root has very permissive directory permissions=20
> (ugo=3Drwx)
> b) prebaseconfig's 93save-install-log uses "cp -a" to copy=20
> /var/lib/cdebconf directory to /target/
>=20
> Part a) seems to have gotten some attention in Etch beta 1, but for=20
> reasons beyond my comprehension /var/lib/cdebconf among others is still=
=20
> world writable. I don't understand the functionality of d-i very well,=20
> but perhaps mkdir is used without a proper umask or -m 0775.
The permissions of the directory in cdebconf-udeb are ok, but those ok
permissions are corrupted by genext2fs during the initrd build process:
joey@dragon:
onf
drwxr-xr-x 2 joey joey 4096 Nov 7 09:56 var/lib/cdebconf/
joey@dragon:
000 foo=20
joey@dragon:
oo /mnt
joey@dragon:
cdebconf
drwxrwxrwx 2 root root 1024 Dec 31 1969 /mnt/var/
In fact, every directory in this ext2 image is mode 777; every file is
mode 666 (or 777). That is a known genext2fs bug I see, with a recently
filed bug and a patch in the bts, but no other documentation of the
problem. Which could easily be construed as a security hole in its own
right since it leads directly to d-i's class of problem.
I haven't looked outside i386 to see if it affects other arches or not,
but it may well not affect some arches that use cramfs images and so on.
Or it might, if there are similar problems with the tools to generate
those images.=20
> Part b) could be fixed by using a stricter umask or plain cp instead of
> 'cp -a' in Sarge's 93save-install-log and Etch beta 1's 93save-debconf
> ( URL:
> http://
=2Ed/93save-
It was fixed in prebaseconfig 1.10, the current code just does:
cp /var/lib/
So etch beta 1 is not affected.
> The fact that a subdirectory within /var/log is world writable is a low=
=20
> risk security issue, since system logs may be DoS'ed by any user filling=
=20
> up the partition.
Surely any user could do the same with the logger command or a small
C program? There ...
In Debian Bug tracker #341173, Joey Hess (joeyh) wrote : severity of 341173 is normal, merging 341173 338262 338263 | #13 |
# Automatically generated email from bts, devscripts version 2.9.8
severity 341173 normal
merge 341173 338262 338263
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Mon, 28 Nov 2005 18:48:38 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 341173 is normal, merging 341173 338262 338263
# Automatically generated email from bts, devscripts version 2.9.8
severity 341173 normal
merge 341173 338262 338263
In Debian Bug tracker #341173, Mikko Rapeli (mikko-rapeli-vtt) wrote : genext2fs CVS version fixes this well | #15 |
I took the cvs version of genext2fs for a spin:
~/src/genext2fs
~/src/genext2fs
drwxr-xr-x 3 mikko mikko 1024 2005-11-29 12:06 foo/bar
~/src/genext2fs
~/src/genext2fs
/mnt/foo
~/src/genext2fs
drwxr-xr-x 3 mikko mikko 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
/mnt/foo/bar:
total 1
drwxr-xr-x 2 mikko mikko 1024 2005-11-29 12:06 xyz
/mnt/foo/bar/xyz:
total 0
~/src/genext2fs
~/src/genext2fs
-d foo -b 1000 -r 0 /tmp/foo2.img
~/src/genext2fs
/mnt/foo
~/src/genext2fs
drwx------ 3 root root 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
drwx------ 3 root root 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
ls: /mnt/foo/bar/xyz: Permission denied
So the --squash* options seem very handy to debian-installer for
example. It's been a while since genext2fs 1.3 release so perhaps this
cvs version could be uploaded to unstable?
-Mikko
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Tue, 29 Nov 2005 12:31:48 +0200
From: Mikko Rapeli <email address hidden>
To: <email address hidden>
CC: <email address hidden>
Subject: genext2fs CVS version fixes this well
I took the cvs version of genext2fs for a spin:
~/src/genext2fs
~/src/genext2fs
drwxr-xr-x 3 mikko mikko 1024 2005-11-29 12:06 foo/bar
~/src/genext2fs
~/src/genext2fs
/mnt/foo
~/src/genext2fs
drwxr-xr-x 3 mikko mikko 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
/mnt/foo/bar:
total 1
drwxr-xr-x 2 mikko mikko 1024 2005-11-29 12:06 xyz
/mnt/foo/bar/xyz:
total 0
~/src/genext2fs
~/src/genext2fs
-d foo -b 1000 -r 0 /tmp/foo2.img
~/src/genext2fs
/mnt/foo
~/src/genext2fs
drwx------ 3 root root 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
drwx------ 3 root root 1024 2005-11-29 12:06 /mnt/foo/bar
~/src/genext2fs
ls: /mnt/foo/bar/xyz: Permission denied
So the --squash* options seem very handy to debian-installer for
example. It's been a while since genext2fs 1.3 release so perhaps this
cvs version could be uploaded to unstable?
-Mikko
In Debian Bug tracker #341173, David Kimdon (dwhedon) wrote : Bug#341173: fixed in genext2fs 1.3-8 | #17 |
Source: genext2fs
Source-Version: 1.3-8
We believe that the bug you reported is fixed in the latest version of
genext2fs, which is due to be installed in the Debian FTP archive:
genext2fs_
to pool/main/
genext2fs_1.3-8.dsc
to pool/main/
genext2fs_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Kimdon <email address hidden> (supplier of updated genext2fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 29 Nov 2005 11:12:31 -0800
Source: genext2fs
Binary: genext2fs
Architecture: source powerpc
Version: 1.3-8
Distribution: unstable
Urgency: low
Maintainer: David Kimdon <email address hidden>
Changed-By: David Kimdon <email address hidden>
Description:
genext2fs - ext2 filesystem generator for embedded systems
Closes: 258661 341173
Changes:
genext2fs (1.3-8) unstable; urgency=low
.
* Update to upstream cvs as of 29-11-2005. This is similar to what 1.4
will be.
Preserve permissions. (Closes: #341173)
Create lost+found (Closes: #258661)
Files:
986f6df0d3ba15
25e985feb7ce23
2e129a4f0cbec6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDjH5BST1
3+0d3baEgJ+
=0+mU
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Tue, 29 Nov 2005 08:32:08 -0800
From: David Kimdon <email address hidden>
To: <email address hidden>
Subject: Bug#341173: fixed in genext2fs 1.3-8
Source: genext2fs
Source-Version: 1.3-8
We believe that the bug you reported is fixed in the latest version of
genext2fs, which is due to be installed in the Debian FTP archive:
genext2fs_
to pool/main/
genext2fs_1.3-8.dsc
to pool/main/
genext2fs_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Kimdon <email address hidden> (supplier of updated genext2fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 29 Nov 2005 11:12:31 -0800
Source: genext2fs
Binary: genext2fs
Architecture: source powerpc
Version: 1.3-8
Distribution: unstable
Urgency: low
Maintainer: David Kimdon <email address hidden>
Changed-By: David Kimdon <email address hidden>
Description:
genext2fs - ext2 filesystem generator for embedded systems
Closes: 258661 341173
Changes:
genext2fs (1.3-8) unstable; urgency=low
.
* Update to upstream cvs as of 29-11-2005. This is similar to what 1.4
will be.
Preserve permissions. (Closes: #341173)
Create lost+found (Closes: #258661)
Files:
986f6df0d3ba15
25e985feb7ce23
2e129a4f0cbec6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDjH5BST1
3+0d3baEgJ+
=0+mU
-----END PGP SIGNATURE-----
Matt Zimmerman (mdz) wrote : | #19 |
Fixed in 1.3-8 and later:
genext2fs | 1.3-8ubuntu1 | http://
Changed in genext2fs: | |
status: | Unconfirmed → Fix Released |
A newer version of genext2fs may preserve uid's, gid's and permissions
for files and directories so the ext2 initrd image wouldn't have o=rwx
any more.
http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 338263
-Mikko