Package: release.debian.org
Control: affects -1 + src:swupdate
X-Debbugs-Cc: swupd...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
There is a local privilege escalation in swupdate package because the
service's control socket has world-writable file permissions.

[ Impact ]
The rights of the swupdate daemon, which is usually used to run full
system updates, can be aquired by any user on the system.

[ Tests ]
Run the service and check that the control socket is created with the
reduced permission set. Also check that the service user "swupdate" is created.

[ Risks ]
None.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru swupdate-2022.12+dfsg/debian/changelog 
swupdate-2022.12+dfsg/debian/changelog
--- swupdate-2022.12+dfsg/debian/changelog      2023-04-04 15:36:06.000000000 
+0200
+++ swupdate-2022.12+dfsg/debian/changelog      2023-11-27 11:10:38.000000000 
+0100
@@ -1,3 +1,10 @@
+swupdate (2022.12+dfsg-4+deb12u1) bookworm; urgency=medium
+
+  * Add swupdate system user
+  * Create the sockets for group use with SocketMode 0660
+
+ -- Bastian Germann <b...@debian.org>  Mon, 27 Nov 2023 11:10:38 +0100
+
 swupdate (2022.12+dfsg-4) unstable; urgency=medium
 
   * Enable backported libebgenv-dev
diff -Nru swupdate-2022.12+dfsg/debian/control 
swupdate-2022.12+dfsg/debian/control
--- swupdate-2022.12+dfsg/debian/control        2023-04-04 15:25:36.000000000 
+0200
+++ swupdate-2022.12+dfsg/debian/control        2023-11-27 11:10:38.000000000 
+0100
@@ -7,6 +7,7 @@
 Build-Depends: debhelper-compat (= 13),
                dh-lua:native <!nolua>,
                dh-nodejs | dh-nodejs:any,
+               dh-sysuser,
                graphviz <!nodoc>,
                liblua5.3-dev <!nolua>,
                libfdisk-dev,
diff -Nru swupdate-2022.12+dfsg/debian/rules swupdate-2022.12+dfsg/debian/rules
--- swupdate-2022.12+dfsg/debian/rules  2023-04-04 15:30:15.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/rules  2023-11-27 11:10:38.000000000 +0100
@@ -13,7 +13,7 @@
 export LUA_VERSION=5.3
 export LUA_MODNAME=lua_swupdate
 export PKG_NAME=swupdate
-export DH_WITH=--with lua
+export DH_WITH=,lua
 export HAVE_LUA=y
 endif
 
@@ -108,4 +108,4 @@
        dh_missing --fail-missing
 
 %:
-       dh $@ $(DH_WITH)
+       dh $@ --with sysuser$(DH_WITH)
diff -Nru swupdate-2022.12+dfsg/debian/swupdate.socket 
swupdate-2022.12+dfsg/debian/swupdate.socket
--- swupdate-2022.12+dfsg/debian/swupdate.socket        2023-04-04 
14:41:04.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/swupdate.socket        2023-11-27 
11:10:38.000000000 +0100
@@ -6,6 +6,8 @@
 [Socket]
 ListenStream=/tmp/sockinstctrl
 ListenStream=/tmp/swupdateprog
+SocketMode=0660
+SocketGroup=swupdate
 
 [Install]
 WantedBy=sockets.target
diff -Nru swupdate-2022.12+dfsg/debian/swupdate.sysuser 
swupdate-2022.12+dfsg/debian/swupdate.sysuser
--- swupdate-2022.12+dfsg/debian/swupdate.sysuser       1970-01-01 
01:00:00.000000000 +0100
+++ swupdate-2022.12+dfsg/debian/swupdate.sysuser       2023-11-27 
11:10:38.000000000 +0100
@@ -0,0 +1 @@
+swupdate defaults

Reply via email to