Your message dated Sun, 19 Sep 2010 14:47:07 +0000
with message-id <[email protected]>
and subject line Bug#545052: fixed in bastille 1:3.0.9-13
has caused the Debian Bug report #545052,
regarding bastille adds dpkg-statoverride entries that change permissions to
0000 after upgrade
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
545052: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bastille
Version: 1:3.0.9-12.1
Severity: serious
Hello,
I run the stable release of debian, i.e. lenny (debian 5.0.6).
I wanted to harden my system using bastille, so I installed
the current bastille package from unstable, that supports
also debian 5.0 (lenny). The package from stable supports
only debian releases up to 4.0 (etch).
I used bastille to tighten up the permissions of some system
binaries and bastille set the most permissions to 750
to prevent unprivileged users to use the administration
utilities or removed the suid flag, so that the binaries
cannot be used by non-root users (from ping and mount, for
instance).
After that bastille ran also the dpkg-statoverride command
to prevent resetting the permissions on system upgrades.
However, this part fails and bastille sets the override
permissions to 0000!!!
This means that many of the administration utilitites
have their permissions set to 0000 after upgrade and
cannot be used anymore (even by root)! This happened
to me in last upgrade to debian version 5.0.6 with ping,
for instance:
> ls -l /bin/ping*
---------- 1 root root 30788 Jul 27 04:34 /bin/ping
---------- 1 root root 26616 Jul 27 04:34 /bin/ping6
This is serious because many important binaries are included,
for instance init, mkfs, mount, apt-get etc. It is also
difficult to find out the reason, because the upgrade
can happen much longer than the bastille hardening process.
I'm including a part of the bastille action log for /sbin/init,
for instance:
...
{Tue Jun 8 20:00:01 2010} ACTION File exists, running
chmod 488 /sbin/init{Tue Jun 8 20:00:01 2010} ACTION change
permissions on /sbin/init from 100755 to 750
{Tue Jun 8 20:00:01 2010} ACTION chmod 750,"/sbin/init";
{Tue Jun 8 20:00:01 2010} ACTION Setting permissions with
dpkg-statoverride:/usr/sbin/dpkg-statoverride --force
--add #0 #0 0000 /sbin/init
...
Hopefully, this can be repaired quite quickly in ustable,
because this can make the system partly unusable without
knowing about this problem.
Lukas
--- End Message ---
--- Begin Message ---
Source: bastille
Source-Version: 1:3.0.9-13
We believe that the bug you reported is fixed in the latest version of
bastille, which is due to be installed in the Debian FTP archive:
bastille_3.0.9-13.diff.gz
to main/b/bastille/bastille_3.0.9-13.diff.gz
bastille_3.0.9-13.dsc
to main/b/bastille/bastille_3.0.9-13.dsc
bastille_3.0.9-13_all.deb
to main/b/bastille/bastille_3.0.9-13_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <[email protected]> (supplier of updated bastille
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 19 Sep 2010 14:46:19 +0200
Source: bastille
Binary: bastille
Architecture: source all
Version: 1:3.0.9-13
Distribution: unstable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <[email protected]>
Changed-By: Javier Fernandez-Sanguino Pen~a <[email protected]>
Description:
bastille - Security hardening tool
Closes: 545052 596954
Changes:
bastille (1:3.0.9-13) unstable; urgency=high
.
* Bastille/Debian_API.pm: Fix bug in the permissions
definition in the B_statoverride.Also, return inmediately if distribution
is Debian or if dpkg-statoverride is not available.
This bug caused bastille to set 0000 permissions when using
dpkg-statoveride, thus the 'high' urgency. (Closes: #596954, 545052)
* Bastille/API.pm: do not warn multiple times about the OS not being
supported,
just send this message to STDERR once.
* Use debhelper compatibility version 5
* debian/control: Depend on perl instead of on perl5.
* debian/bastille.substvars: removed
Checksums-Sha1:
711951cd33626946bba156bcd5f9dfc3093c9e59 1005 bastille_3.0.9-13.dsc
2296aafc39dbdc0b81ec41cab440d24af3ef6411 41519 bastille_3.0.9-13.diff.gz
66c5989e1ae0c71a409465c328a0433a3d45d6bc 467920 bastille_3.0.9-13_all.deb
Checksums-Sha256:
70c7221219204f72fe07653278a045afcb3eb48c555fe43304b8c8e657de27d8 1005
bastille_3.0.9-13.dsc
3ec654bab55c0599e7de96d5042245fdf674eb4ca2cf725b3b27ba5b532533d9 41519
bastille_3.0.9-13.diff.gz
7c886ddf57a481a84b0259530c199c310db25cd385d3a13301d3b34770136b2c 467920
bastille_3.0.9-13_all.deb
Files:
908a281b8ba7b9c7300d81ccdad306c8 1005 admin optional bastille_3.0.9-13.dsc
b629a33e3f84d40449b5f031d3d3882c 41519 admin optional bastille_3.0.9-13.diff.gz
f4650a1e599bd0553525c1b09c7bd147 467920 admin optional
bastille_3.0.9-13_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMlhu/sandgtyBSwkRAgmkAJ49deqGm6BRemsLbz4vscrpVqMRIgCaAqM7
CFty2qf35wQrav+GQvNnl5o=
=KMtu
-----END PGP SIGNATURE-----
--- End Message ---
