On 2023-04-23 08:47 +0200, Sven Joachim wrote:
> On 2023-04-18 20:15 -0400, Thomas Dickey wrote:
>
>> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>>> >
>>> > Security boundaries are only crossed for setuid/setgid programs here,
>>> > and we probably do not have many setuid binaries linked to libtinfo in
>>> > the distribution (on my system, I could not find any). So I guess you
>>> > probably do not want to issue a DSA here, right?
>>> >
>>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>>> > patchlevel[1,2,3], most notably output of openrc being completely
>>> > broken. While we do not have that particular problem because openrc in
>>>
>>> It was already broken (the "(null)" strings come from its misuse of the
>>> ncurses interface, which will require fixes in OpenRC). I'm not going
>>> to provide a patch for OpenRC itself - any maintainer should be able to
>>> do _that_.
>>>
>>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>>> improvements, and if nothing else surfaces, use that as the basis for the
>>> security-patch.
>>
>> I had another fix, which works fine. Except of course for programs which
>> call tparm without actually reading from the terminal database, and don't
>> check error returns. I could digress...
>
> I am happy to reveal the bugs in theses non-conforming programs after
> the bookworm release, but for now this is too intrusive. We are about
> to release Debian 12 within the next two months.
>
>> ...reflecting on all of this, the low-impact change would be to use the
>> --disable-root-environ configure option (possibly --disable-root-access
>> as well).
>
> The --disable-root-environ option disables _all_ use of custom terminfo
> files by the superuser. This has some side effects.
>
> - At least one package FTBFS[1] because it runs TERMINFO=… tic under
> fakeroot.
>
> - Rescue mode in the non-graphical Debian installer is broken if
> ncurses-term is not installed. The installer uses an obscure terminal
> emulator called bogl-bterm which sets TERM=bterm, and if that terminfo
> entry is not found on the target system, it copies it to a temporary
> directory and sets TERMINFO accordingly before chrooting into the
> target system.
>
> - Emacs' term.el package sets TERM=eterm-color and TERMINFO to the
> directory where Emacs ships this terminfo entry. If ncurses-term is
> not installed, running programs as root is broken.
>
> - The sysadmin can no longer use private terminfo files under
> /root/.terminfo and has to install those into the system database
> instead, where they affect everyone. This might not always be
> desired.
>
> It is because of such issues that I had proposed a new configure option
> that only restricts programs running at elevated privileges[2].
Thomas was so kind to provide a new "--disable-setuid-environ" option in
the 20230423 patchlevel which does what I want. I had looked at
backporting this option, but as that would require changes to multiple
files, and the patches did not apply cleanly without taking some
additional changes from the previous patchlevel first, I decided on a
different route.
By removing two lines in the _nc_env_access() function, the existing
"--disable-root-environ" option becomes functionally equivalent to the
new "--disable-setuid-environ" option, allowing for a rather minimal
patch. In #1035351 I have asked for the release team's approval.
Cheers,
Sven
