Package: util-linux
Version: 2.33.1-0.1
Severity: important
Dear Maintainer,
Security conscious administrators like me audit our systems for setuid
binaries. Since Buster, the /usr/bin/su binary installed by util-linux
is failing the routine tests for integrity that I assumed all Debian
packages would provide.
On every Buster system I manage, I find:
$ dpkg -S /usr/bin/su
dpkg-query: no path found matching pattern /usr/bin/su
I am not happy to find a setuid binary that isn't owned by any package. After
some investigation, I discover:
$ ls -l {/usr,}/bin/su
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
$ dpkg -S /bin/su
util-linux: /bin/su
Could util-linux be the package installing /usr/bin/su? Let's find out:
$ sudo rm /usr/bin/su
$ sudo dpkg --unpack /var/cache/apt/archives/util-linux_2.33.1-0.1_amd64.deb
(Reading database ... 166973 files and directories currently installed.)
Preparing to unpack .../util-linux_2.33.1-0.1_amd64.deb ...
Unpacking util-linux (2.33.1-0.1) over (2.33.1-0.1) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for man-db (2.8.5-2) ...
$ ls -l {/usr,}/bin/su
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
Pshew, it is util-linux installing this mysterious setuid binary. I have
not been hacked. Good. But this is very, very surprising:
$ dpkg-deb -c /var/cache/apt/archives/util-linux_2.33.1-0.1_amd64.deb|grep 'su$'
-rwsr-xr-x root/root 63568 2019-01-10 03:30 ./bin/su
-rw-r--r-- root/root 2257 2019-01-10 03:30 ./etc/pam.d/su
-rw-r--r-- root/root 892 2019-01-10 03:30
./usr/share/bash-completion/completions/su
There is no /usr/bin/su in the util-linux package. This should not be!
Let's do one more basic test to ensure that the util-linux package intended to
install /usr/bin/su:
$ grep 'bin/su$' /var/lib/dpkg/info/*.md5sums
/var/lib/dpkg/info/util-linux.md5sums:bb269705904f98f0b2f6258b3ab75ad9 bin/su
No: there is no md5sum to audit the integrity of a mysterious setuid
binary on my Debian system. I am not happy. What kind of AI will I
need to add to my security audit scripts to guess that the md5sum for
/usr/bin/su should match the md5sum for /bin/su which is managed by the
util-linux package?
One final thought: why do we need two copies of the setuid su binary? If
it is in /bin/su, why do we need to waste bits by having a second copy
in /usr/bin as well?
Especially for setuid root binaries, shouldn't we economize by only having
one copy around? In previous releases of Debian, only /bin/su existed. I
assume the very existance of the /usr/bin/su setuid binary is erroneous:
it should not be installed by the util-linux package.
-- System Information:
Debian Release: 10.5
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages util-linux depends on:
ii fdisk 2.33.1-0.1
ii libaudit1 1:2.8.4-3
ii libblkid1 2.33.1-0.1
ii libc6 2.28-10
ii libcap-ng0 0.7.9-2
ii libmount1 2.33.1-0.1
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libsmartcols1 2.33.1-0.1
ii libsystemd0 241-7~deb10u4
ii libtinfo6 6.1+20181013-2+deb10u2
ii libudev1 241-7~deb10u4
ii libuuid1 2.33.1-0.1
ii login 1:4.5-1.1
ii zlib1g 1:1.2.11.dfsg-1
util-linux recommends no packages.
Versions of packages util-linux suggests:
ii dosfstools 4.1-2
ii kbd 2.0.4-4
ii util-linux-locales 2.33.1-0.1
-- no debconf information
