Bug#615029: kernel-package: Please restrict permissions of System.map and vmlinuz for security reasons

Pierre Ynard Thu, 24 Feb 2011 18:15:20 -0800

Package: kernel-package
Version: 12.036+nmu1
Severity: wishlist

As part of an effort to deter kernel exploits [1], System.map and the
kernel image should be made readable by root only, to prevent attackers
from getting knowledge of kernel addresses.


A patch would look like this:


--- ruleset/targets/image.mk    2011-02-24 02:23:38.000000000 +0100
+++ ruleset/targets/image.mk    2011-02-25 01:40:57.000000000 +0100
@@ -168,7 +168,7 @@
   ifeq ($(strip $(HAVE_INST_PATH)),)
        test ! -f System.map ||  cp System.map                         \
                        $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE);
-       test ! -f System.map ||  chmod 644                             \
+       test ! -f System.map ||  chmod 600                             \
                        $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE);
        cp $(kimagesrc) $(kimagedest)
   else
@@ -180,12 +180,12 @@
 endif
 ifeq ($(strip $(HAVE_COFF_IMAGE)),YES)
        cp $(coffsrc)   $(coffdest)
-       chmod 644       $(coffdest)
+       chmod 600       $(coffdest)
 endif
 ifeq ($(strip $(int_install_vmlinux)),YES)
   ifneq ($(strip $(kelfimagesrc)),)
        cp $(kelfimagesrc) $(kelfimagedest)
-       chmod 644 $(kelfimagedest)
+       chmod 600 $(kelfimagedest)
   endif
 endif
 ######################################################################
@@ -197,12 +197,12 @@
 endif
 # Set permissions on the image
 ifeq ($(strip $(KERNEL_ARCH)),um)
-       chmod 755 $(kimagedest);
+       chmod 700 $(kimagedest);
   ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
        strip --strip-unneeded --remove-section=.note --remove-section=.comment 
 $(kimagedest);
   endif
 else
-       chmod 644 $(kimagedest);
+       chmod 600 $(kimagedest);
 endif
 ######################################################################
 ###   Hooks and information


However, later all permissions are reset by a big chmod:


@@ -331,6 +331,7 @@
        $(create_md5sum)               $(TMPTOP)
        chmod -R og=rX                 $(TMPTOP)
        chown -R root:root             $(TMPTOP)
+       chmod og-rx $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE) 
$(kimagedest)
        dpkg --build                   $(TMPTOP) $(DEB_DEST)
 ifeq ($(strip $(do_clean)),YES)
 # just to be sure we are not nuking ./debian


What is this chmod for? The above snippet works for me, but is kind of
lame. And I guess the debug taget should be modified too.

[1] 
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.37.y.git;a=commitdiff;h=59365d136d205cc20fe666ca7f89b1c5001b0d5a

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37.1-grsec (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kernel-package depends on:
ii  binutils               2.21.0.20110216-2 The GNU assembler, linker and bina
ii  build-essential        11.5              Informational list of build-essent
ii  debianutils            3.4.4             Miscellaneous utilities specific t
ii  file                   5.04-5            Determines file type using "magic"
ii  gettext                0.18.1.1-3        GNU Internationalization utilities
ii  make                   3.81-8            An utility for Directing compilati
ii  module-init-tools      3.12-1            tools for managing Linux kernel mo
ii  po-debconf             1.0.16+nmu1       tool for managing templates file t
ii  util-linux             2.17.2-9.1        Miscellaneous system utilities

Versions of packages kernel-package recommends:
ii  cpio                          2.11-7     GNU cpio -- a program to manage ar

Versions of packages kernel-package suggests:
pn  btrfs-tools               <none>         (no description available)
ii  bzip2                     1.0.5-6        high-quality block-sorting file co
pn  docbook-utils             <none>         (no description available)
ii  e2fsprogs                 1.41.12-2      ext2/ext3/ext4 file system utiliti
ii  grub                      0.97-64        GRand Unified Bootloader (dummy pa
pn  jfsutils                  <none>         (no description available)
ii  libncurses5-dev [libncurs 5.7+20100313-5 developer's libraries and docs for
pn  linux-initramfs-tool      <none>         (no description available)
pn  linux-source | kernel-sou <none>         (no description available)
pn  mcelog                    <none>         (no description available)
pn  oprofile                  <none>         (no description available)
pn  pcmciautils               <none>         (no description available)
pn  ppp                       <none>         (no description available)
ii  procps                    1:3.2.8-10     /proc file system utilities
pn  quota                     <none>         (no description available)
pn  reiserfsprogs             <none>         (no description available)
pn  squashfs-tools            <none>         (no description available)
ii  udev                      166-1          /dev/ and hotplug management daemo
pn  xfsprogs                  <none>         (no description available)
pn  xmlto                     <none>         (no description available)

-- Configuration Files:
/etc/kernel-pkg.conf changed [not included]

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#615029: kernel-package: Please restrict permissions of System.map and vmlinuz for security reasons

Reply via email to