Your message dated Sat, 02 Apr 2022 16:21:34 +0000
with message-id <[email protected]>
and subject line Bug#903403: fixed in dropbear 2022.82-1
has caused the Debian Bug report #903403,
regarding dropbear's default PATH should be different for the root user
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
903403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dropbear
Version: 2018.76-1
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-kali kali-patch
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial:
https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
(This bug report is copied to the upstream author Matt Johnston
<[email protected]> in the hope that he will consider this bugreport and
apply the patch)
-- System Information:
Debian Release: buster/sid
APT prefers oldoldstable
APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500,
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
--- a/default_options.h
+++ b/default_options.h
@@ -291,5 +291,6 @@ be overridden at runtime with -I. 0 disa
/* The default path. This will often get replaced by the shell */
#define DEFAULT_PATH "/usr/bin:/bin"
+#define DEFAULT_ROOT_PATH "/usr/sbin:/usr/bin:/sbin:/bin"
#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -961,7 +961,11 @@ static void execchild(const void *user_d
addnewvar("LOGNAME", ses.authstate.pw_name);
addnewvar("HOME", ses.authstate.pw_dir);
addnewvar("SHELL", get_user_shell());
- addnewvar("PATH", DEFAULT_PATH);
+ if (getuid() == 0) {
+ addnewvar("PATH", DEFAULT_ROOT_PATH);
+ } else {
+ addnewvar("PATH", DEFAULT_PATH);
+ }
if (chansess->term != NULL) {
addnewvar("TERM", chansess->term);
}
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2022.82-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Apr 2022 15:51:17 +0200
Source: dropbear
Architecture: source
Version: 2022.82-1
Distribution: unstable
Urgency: medium
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 903403 955384 1003951
Changes:
dropbear (2022.82-1) unstable; urgency=medium
.
[ Matt Johnston ]
* New upstream release 2022.82. Highlights include:
- dropbearconvert(1): Support converting from OpenSSH (>=7.8) private key
format (closes: #955384), and convert to that format rather than PEM
- Reworked -v verbose printing, specifying multiple times will increase
verbosity.
- Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in
authorized_keys(5).
- Use a separate $PATH when logging in as root (closes: #903403).
- Disable dh-group1 key exchange by default. It has been disabled server
side by default since 2018.76-1.
- Removed Twofish cipher.
.
[ Lee Garrett ]
* Add quotes to indicate they're required. (Closes: #1003951)
.
[ Guilhem Moulin ]
* Add missing build dependency on dh addon.
* initramfs script configuration: Clarify that assignment follow shell
semantics.
* d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION.
* Run wrap-and-sort(1).
* Fix autopkgtest for non-sid suites.
* Create localoptions.h in d/rules not from d/patches.
* d/localoptions.h: Hardcode PATH environment variable when a regular user
resp. the superuser logs in to the login.defs(5) default values, namely
"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games" resp.
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin".
* d/tests: Run the upstream test suite as a DEP-8 test. We skip it at build
time since it needs access to ~/.ssh which is forbidden in the build
environment.
* Update d/copyright.
* d/rules: Remove useless override_dh_installinit target and rename
d/dropbear.dropbear.init to d/dropbear.init.
* d/dropbear.init: Put PID file in /run not /var/run.
* d/dropbear.init: Minor refactoring.
* d/dropbear.postinst: Replace deprecated which(1) calls with `command -v`.
* d/dropbear.postinst: Also convert OpenSSH keys in new format since
dropbearconvert(1) can now convert those.
* Remove d/README.Debian.diet from 'dropbear-bin' documentation.
* Install README.Debian in 'dropbear' package not 'dropbear-bin'.
* Minor d/dropbear.README.Debian improvement.
* d/control: Improve package description.
* Add systemd.service(5) file.
* /etc/default/dropbear: Breaking changes to accommodate the
systemd.service(5) logic:
+ Drop support for NO_START=1 (one needs to manually disable the service
or remove the package instead); and
+ Drop support for DROPBEAR_*KEY and DROPBEAR_BANNER (one needs to use
DROPBEAR_EXTRA_ARGS with the adequate dropbear(8) instead instead).
* Handle /etc/default/dropbear as a conffile instead of letting postinst
create it.
Checksums-Sha1:
f8a44000c4d67110b6bc09a8d02878efc0e65a44 2582 dropbear_2022.82-1.dsc
9719ea91b5ce8d93ee9a50b5c3a5bcd628736181 2309514 dropbear_2022.82.orig.tar.bz2
f1602a00a189923d458146482d7776eb8007266e 833 dropbear_2022.82.orig.tar.bz2.asc
c2b7abb93b938e981d73624baf9ea60efd8f910f 32900 dropbear_2022.82-1.debian.tar.xz
0bda9463835ff4e6ea7fc1df2fd65a4b6895f783 7053
dropbear_2022.82-1_amd64.buildinfo
Checksums-Sha256:
b7fc60d2d7cf67cc1d9861f97c5e2112a26320e546ce31e708955374ebcd70d8 2582
dropbear_2022.82-1.dsc
3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1 2309514
dropbear_2022.82.orig.tar.bz2
01347278eccfd744d9ea9c427820b150179a9f5cdd44de5fb72787e40b410eff 833
dropbear_2022.82.orig.tar.bz2.asc
f499622cfc164ed7a67df55cfb79ded846e10fbae4c49fae5e4f79c35bf44869 32900
dropbear_2022.82-1.debian.tar.xz
93c58b4bebd19dc9df119aa7016f2e0941613fa3e1a580c456d78d7c0fc90f69 7053
dropbear_2022.82-1_amd64.buildinfo
Files:
a8f822b98ebe26d7effdd8e6650afff9 2582 net optional dropbear_2022.82-1.dsc
7a4a5f2c6d23ff2e6627c97d7c1aeceb 2309514 net optional
dropbear_2022.82.orig.tar.bz2
fe3bf559e79bf5c67160c0e4afe70082 833 net optional
dropbear_2022.82.orig.tar.bz2.asc
aa0879a8e46152a1b2cbfb30bd4da33a 32900 net optional
dropbear_2022.82-1.debian.tar.xz
53ac987c79a026756c1b0f02a0aef7bd 7053 net optional
dropbear_2022.82-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmJIVSQACgkQ05pJnDwh
pVLVRw/+JtHVOIqqjB1CPRwy9oCHJSZKxWtEg9vCyy/zAcTHo7hm9BopwzKyLeIf
5/Vj4k9OcbqlHO9LEPmEY8rHnaPBTdeDwly5kL8NKZkORVJvf9aDugIFKhG6LKuJ
IuHzHzM2qyuBawYrljtn/Lti9aycmSRhlbs4aIMwW8H60iiD4r++E6wAQzyV191k
QdhivZhZd8wML/OFym30u3paAFmasoMWIB9smCzUe/j135YkwEoyhRKpvlBMrZzM
+qHxrVlwSKVFBKW7bv6bnwDMmBTi0WaFrFZt+y3KcWRmCTiwlNmMY7t6Z3Y60I5Z
zXNBFAq2/Hwgvka+1rL3YhhepI2BgLUjYNUl4GwBrh7b2n+GPVhCHtJvzmogRsS3
6Fd6LJIWlX9aACF8BjcqcO41TmExnQx6Qr9OXeKQtguciL5856zhKqQ5Rl5i5nNn
7XivgdnEKA2b0dvTA1ssoRGE/0cwRDsUmKUBfV9BR4WmFxnNdTg621ghWA8RUUlk
iRXpixVlvuEnk6RGjQtEvR7yseb/3APiJm1cFWiKsCnBhN3lS5e1wlF+YqTfmi30
Ez7ClMcRQSkvQbzNBtNdSLheKrLeeIaB0+TcsQlfK/f/h/zhqvhP3X6jLgIaEtpj
cfohgSIvbT2rwind9E3EHPK/qPt6o9lhbD2GKj6WIEwvYCVgt/s=
=ifaR
-----END PGP SIGNATURE-----
--- End Message ---
