Package: trousers Version: 0.3.14+fixed1-1 Severity: normal Tags: patch security
trousers.postinst has: case "${1}" in configure) # Adding tss system user adduser --system --quiet --home /var/lib/tpm --shell /bin/false --no-create-home --group tss # Setting owner chown tss:tss /var/lib/tpm -R chown tss:tss /etc/tcsd.conf This means that upon package configuration, there will be a recursive chown of the contents of /var/lib/tpm to be owned by the tss user. if the tss user account is compromised, and the kernel is running without fs.protected_hardlinks=1, then the tss can link to arbitrary files on the same filesystem as this directory, and wait for a package upgrade to gain ownership of the linked file. I've only looked at testing/unstable, but i would guess that this security bug goes back a long way. It can be fixed simply by making this chown non-recursive: --- /var/lib/dpkg/info/trousers.postinst 2016-11-20 10:10:31.000000000 -0500 +++ ./trousers.postinst 2018-02-03 15:34:19.655511509 -0500 @@ -8,7 +8,7 @@ adduser --system --quiet --home /var/lib/tpm --shell /bin/false --no-create-home --group tss # Setting owner - chown tss:tss /var/lib/tpm -R + chown tss:tss /var/lib/tpm chown tss:tss /etc/tcsd.conf # Setting permissions thanks for maintaining trousers in debian! --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages trousers depends on: ii adduser 3.116 ii libc6 2.26-4 ii libssl1.1 1.1.0g-2 ii lsb-base 9.20170808 trousers recommends no packages. trousers suggests no packages. -- Configuration Files: /etc/tcsd.conf [Errno 13] Permission denied: '/etc/tcsd.conf' -- no debconf information