/etc/dib-manifests/ has too broad permissions and discloses sensitive information
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
diskimage-builder |
Fix Released
|
High
|
Gregory Haynes |
Bug Description
Some of the options passed to diskimage-builder (for example, DEVUSER_
Diskimage-builder writes directory /etc/dib-manifests into guest system. This directory contains following files with sensitive information and overly relaxed permissions:
-rw-r--r-- 1 root root 105 Mar 10 14:41 dib_arguments
-rw-r--r-- 1 root root 384 Mar 10 14:41 dib_environment
-rw-r--r-- 1 root root 25532 Mar 10 14:42 dib-manifest-
sudo -u nobody cat /etc/dib-
...
declare -x DIB_DEV_
declare -x DIB_DEV_
declare -x DIB_DEV_
declare -x DIB_DISTRO_
declare -x DIB_RELEASE=
TL;DR; diskimage-builder should write those files with 0600 or 0640 permissions, not 0644 permissions.
Affected version (tested so far): 1.9.0.
Used elements to build image: dib-python install-types debootstrap install-static dib-run-parts devuser vm manifests dib-init-system cache-url pkg-map base serverscom-
Changed in diskimage-builder: | |
assignee: | nobody → Gregory Haynes (greghaynes) |
importance: | Undecided → High |
status: | New → Confirmed |
status: | Confirmed → In Progress |
description: | updated |
Hello. Because there were 3 month grace period and there were zero reaction to this bug I plan to disclose it at the next Monday. If someone want to fix this bug and need more time, please let me know.