Ubuntu
checksecurity package

check-setuid does not check all filesystems

Bug #1048248 reported by Martin Carpenter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
checksecurity (Ubuntu)
Triaged
High
Unassigned

Bug Description

Description: Ubuntu 12.04.1 LTS
Release: 12.04
ii checksecurity 2.0.14ubuntu1 basic system security checks

Symptom: check-setuid reporting results look strange/incomplete on initial run:

    --- setuid.today 2012-09-09 15:09:26.858820173 +0200
    +++ /var/log/setuid/setuid.new.tmp 2012-09-09 15:09:26.858820173 +0200
    @@ -0,0 +1,7 @@
    + 128575 4755 1 root root 31304 Fri Mar 2 16:35:03.0000000000 2012 ./bin/fusermount
    + 128610 4755 1 root root 94792 Fri Mar 30 07:34:18.0000000000 2012 ./bin/mount
    + 128648 4755 1 root root 35712 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping
    + 128649 4755 1 root root 40256 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping6
    + 128676 4755 1 root root 36832 Mon Apr 9 04:32:06.0000000000 2012 ./bin/su
    + 128685 4755 1 root root 69096 Fri Mar 30 07:34:18.0000000000 2012 ./bin/umount
    + 136537 2755 1 root shadow 35432 Thu Feb 9 02:44:43.0000000000 2012 ./sbin/unix_chkpwd

1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).

The problem is the set of start paths given to find(1) in
/usr/share/checksecurity/check-setuid:

    find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3`

The "grep -v" excludes mount lines matching the pattern
CHECKSECURITY_FILTER. CHECKSECURITY_FILTER is set in
/etc/checksecurity/check-setuid.conf by alternating CS_NFSAFS, CS_TYPES,
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:

    CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
                                                   ^ here

The pipe and closing parenthesis after "nnpfs" provide an empty term in
the alternation. This matches any type and so all lines from mount(1)'s
output are excluded.

In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.

Revision history for this message
Martin Carpenter (a-mcarpenter) wrote :

I forgot the (trivial) fix:

    51c51
    < CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
    ---
    > CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs)|^(arla .* type xfs))'

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

Triaged: Bug tells you exactly where the problem is
High: Seems the package is pretty completely broken by it

Changed in checksecurity (Ubuntu):
importance: Undecided → High
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.