Bug#341506: dpkg-source and file permissions
On Thu, Dec 08, 2005 at 08:13:25AM +0100, Frank Lichtenheld wrote: Please note that there is both a bug report and a patch for this problem already... Actually --no-same-owner and --no-same-permissions do different things; one changes file owners and the other sets permissions. IMHO both should be used by dpkg-source.pl tar invocations. If nobody deemed this worth a advisory for the past three years it probably isn't worth one now... True, but this problem is easily fixed even before someone finds a way to exploit it. -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
On Thu, Dec 08, 2005 at 10:02:48AM +0200, Mikko Rapeli wrote: On Thu, Dec 08, 2005 at 08:13:25AM +0100, Frank Lichtenheld wrote: Please note that there is both a bug report and a patch for this problem already... Actually --no-same-owner and --no-same-permissions do different things; one changes file owners and the other sets permissions. IMHO both should be used by dpkg-source.pl tar invocations. Hmm, sorry for not reading #144571 properly before. The patch in bug 144571 fixed file ownerships but not the sometimes funny permissions within the source tar packages. Since --no-same* are GNU extensions and should be avoided, perhaps the chown call after extracttar should be supported by a chmod 0700 -R $tmp call? -Mikko diff -ru dpkg-1.13.11/scripts/dpkg-source.pl dpkg-1.13.11.mkr1/scripts/dpkg-source.pl --- dpkg-1.13.11/scripts/dpkg-source.pl 2005-08-17 06:17:31.0 +0300 +++ dpkg-1.13.11.mkr1/scripts/dpkg-source.pl2005-12-08 10:07:55.248749232 +0200 @@ -642,10 +642,12 @@ my $tmp = $target.tmp-nest; (my $t = $target) =~ s!.*/!!; - mkdir($tmp,0755) || syserr(unable to create `$tmp'); + mkdir($tmp,0700) || syserr(unable to create `$tmp'); system chmod, g-s, $tmp; print($progname: unpacking $tarfile\n); extracttar($dscdir/$tarfile,$tmp,$t); + system chown, '-R', '-f', join(':',@fowner), $tmp/$t; + system chmod, '0700', '-R', '-f', $tmp/$t; rename($tmp/$t,$target) || syserr(unable to rename `$tmp/$t' to `$target'); rmdir($tmp) Only in dpkg-1.13.11.mkr1/scripts/: dpkg-source.pl.orig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
merge 144571 341506 thanks On Thu, Dec 01, 2005 at 03:32:46AM +0200, Mikko Rapeli wrote: Package: dpkg-dev Version: 1.13.11 Version: 1.10.28 Tags: security Please note that there is both a bug report and a patch for this problem already... If nobody deemed this worth a advisory for the past three years it probably isn't worth one now... Gruesse, -- Frank Lichtenheld [EMAIL PROTECTED] www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote: fakeroot combined with dpkg-source uses original source package permissions. If the original source has insecure permissions on files and/or directories dpkg-source -x should override them with umask, but: snip What I ment to copy-paste here at 3:30 in the morning was: $ fakeroot /bin/sh sh-2.05b# ls -ld rssh-* ls: rssh-*: No such file or directory sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc dpkg-source: extracting rssh in rssh-2.2.3 sh-2.05b# ls -ld rssh-* drwxrwxrwx 3 500 500 4096 Dec 1 12:29 rssh-2.2.3 sh-2.05b# umask 0077 -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
Mikko Rapeli wrote: On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote: fakeroot combined with dpkg-source uses original source package permissions. If the original source has insecure permissions on files and/or directories dpkg-source -x should override them with umask, but: snip What I ment to copy-paste here at 3:30 in the morning was: $ fakeroot /bin/sh sh-2.05b# ls -ld rssh-* ls: rssh-*: No such file or directory sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc dpkg-source: extracting rssh in rssh-2.2.3 sh-2.05b# ls -ld rssh-* drwxrwxrwx 3 500 500 4096 Dec 1 12:29 rssh-2.2.3 sh-2.05b# umask 0077 Thanks for your report, but I'd rather consider this a if-use-user-wants-to-shoot-in-both-feet-they-should error. Why would anybody would want to run dpkg-source inside a fakerooted shell? You can't exploit root or another user, but only leave an exploit for your own directory. I'd still consider it a bug, though, and it should be fixed in sid. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
On Thu, Dec 01, 2005 at 11:34:15AM +0100, Martin Schulze wrote: Thanks for your report, but I'd rather consider this a if-use-user-wants-to-shoot-in-both-feet-they-should error. Why would anybody would want to run dpkg-source inside a fakerooted shell? You can't exploit root or another user, but only leave an exploit for your own directory. Oh, I need get back on reading what execute bit means for directories. Sorry about this noice. For normal users within HOME which is not executable this not an problem even though I have run 'fakeroot apt-get source -b rssh' multiple times without checking that umask is obeyed. But running apt-get source or dpkg-source with fakeroot or as root in a world executable directory is a problem. Perhaps not worth an advisory though. Isn't default umask 022 in sarge? Then this is might again be worth an advisory, or not if users are expected to know about file and directory permissions. -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#341506: dpkg-source and file permissions
Package: dpkg-dev Version: 1.13.11 Version: 1.10.28 Tags: security fakeroot combined with dpkg-source uses original source package permissions. If the original source has insecure permissions on files and/or directories dpkg-source -x should override them with umask, but: $ fakeroot /bin/sh sh-3.00# umask 0077 sh-3.00# ls -lad * ls: *: No such file or directory sh-3.00# tar -zxkf ../dash_0.5.3.orig.tar.gz sh-3.00# ls -lad * drwxrwxrwx 3 mikko mikko 4096 2005-11-26 05:19 dash-0.5.3 sh-3.00# rm -rf * sh-3.00# tar --no-same-permissions -zxkf ../dash_0.5.3.orig.tar.gz sh-3.00# ls -lad * drwx-- 3 mikko mikko 4096 2005-11-26 05:19 dash-0.5.3 Debugging reveals that dpkg-source gives options xkf to tar, and (GNU only?) tar adds --no-same-permissions for non-root users. fakeroot is fakeroot so it fools tar too, and -p, --same-permissions, --preserve-permissions is used instead as the tar manual page nicely explains. Yeah, this is a security issue too although any environment with compilers is hazard ;) Hopefully tighter permissions do not break any build automatics. Attached patches fix this for unstable/testing and sarge, but IMO upstream should receive some comments too if they have o=rwx directories in their release archives. -Mikko --- scripts/dpkg-source.pl 2004-11-11 05:16:35.0 +0200 +++ ../dpkg-1.10.28.sarge.mkr1/scripts/dpkg-source.pl 2005-12-01 03:43:50.0 +0200 @@ -975,15 +975,15 @@ sub extracttar { my ($tarfileread,$dirchdir,$newtopdir) = @_; forkgzipread($tarfileread); -defined($c2= fork) || syserr(fork for tar -xkf -); +defined($c2= fork) || syserr(fork for tar --no-same-permissions -xkf -); if (!$c2) { -open(STDIN,GZIP) || syserr(reopen gzip for tar -xkf -); +open(STDIN,GZIP) || syserr(reopen gzip for tar --no-same-permissions -xkf -); cpiostderr; chdir($dirchdir) || syserr(cannot chdir to \`$dirchdir' for tar extract); -exec('tar','-xkf','-'); syserr(exec tar -xkf -); +exec('tar','--no-same-permissions','-xkf','-'); syserr(exec tar --no-same-permissions -xkf -); } close(GZIP); -$c2 == waitpid($c2,0) || syserr(wait for tar -xkf -); +$c2 == waitpid($c2,0) || syserr(wait for tar --no-same-permissions -xkf -); $? subprocerr(tar -xkf -); reapgzip; --- scripts/dpkg-source.pl 2005-08-17 06:17:31.0 +0300 +++ ../dpkg-1.13.11.mkr1/scripts/dpkg-source.pl 2005-12-01 03:53:55.0 +0200 @@ -1108,15 +1108,15 @@ sub extracttar { my ($tarfileread,$dirchdir,$newtopdir) = @_; forkgzipread($tarfileread); -defined($c2= fork) || syserr(fork for tar -xkf -); +defined($c2= fork) || syserr(fork for tar --no-same-permissions -xkf -); if (!$c2) { -open(STDIN,GZIP) || syserr(reopen gzip for tar -xkf -); +open(STDIN,GZIP) || syserr(reopen gzip for tar --no-same-permissions -xkf -); cpiostderr; chdir($dirchdir) || syserr(cannot chdir to `$dirchdir' for tar extract); -exec('tar','-xkf','-') or syserr(exec tar -xkf -); +exec('tar','--no-same-permissions','-xkf','-') or syserr(exec tar --no-same-permissions -xkf -); } close(GZIP); -$c2 == waitpid($c2,0) || syserr(wait for tar -xkf -); +$c2 == waitpid($c2,0) || syserr(wait for tar --no-same-permissions -xkf -); $? subprocerr(tar -xkf -); reapgzip;