check-setuid does not check all filesystems
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
checksecurity (Ubuntu) |
Triaged
|
High
|
Unassigned |
Bug Description
Description: Ubuntu 12.04.1 LTS
Release: 12.04
ii checksecurity 2.0.14ubuntu1 basic system security checks
Symptom: check-setuid reporting results look strange/incomplete on initial run:
--- setuid.today 2012-09-09 15:09:26.858820173 +0200
+++ /var/log/
@@ -0,0 +1,7 @@
+ 128575 4755 1 root root 31304 Fri Mar 2 16:35:03.0000000000 2012 ./bin/fusermount
+ 128610 4755 1 root root 94792 Fri Mar 30 07:34:18.0000000000 2012 ./bin/mount
+ 128648 4755 1 root root 35712 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping
+ 128649 4755 1 root root 40256 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping6
+ 128676 4755 1 root root 36832 Mon Apr 9 04:32:06.0000000000 2012 ./bin/su
+ 128685 4755 1 root root 69096 Fri Mar 30 07:34:18.0000000000 2012 ./bin/umount
+ 136537 2755 1 root shadow 35432 Thu Feb 9 02:44:43.0000000000 2012 ./sbin/unix_chkpwd
1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).
The problem is the set of start paths given to find(1) in
/usr/share/
find `mount | grep -vE "$CHECKSECURITY
The "grep -v" excludes mount lines matching the pattern
CHECKSECURITY_
/etc/checksecur
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:
CS_
The pipe and closing parenthesis after "nnpfs" provide an empty term in
the alternation. This matches any type and so all lines from mount(1)'s
output are excluded.
In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.
I forgot the (trivial) fix:
51c51 coda|lustre| mfs|nnpfs| )|^(arla .* type xfs))' coda|lustre| mfs|nnpfs) |^(arla .* type xfs))'
< CS_NFSAFS='(type (nfs|afs|
---
> CS_NFSAFS='(type (nfs|afs|