Public bug reported:
Description:Ubuntu 12.04.1 LTS
Release:12.04
ii checksecurity 2.0.14ubuntu1 basic system security checks
Symptom: check-setuid reporting results look strange/incomplete on
initial run:
--- setuid.today2012-09-09 15:09:26.858820173 +0200
+++ /var/log/setuid/setuid.new.tmp 2012-09-09 15:09:26.858820173 +0200
@@ -0,0 +1,7 @@
+ 128575 4755 1 root root 31304 Fri Mar 2
16:35:03.00 2012 ./bin/fusermount
+ 128610 4755 1 root root 94792 Fri Mar 30
07:34:18.00 2012 ./bin/mount
+ 128648 4755 1 root root 35712 Tue Nov 8
14:26:22.00 2011 ./bin/ping
+ 128649 4755 1 root root 40256 Tue Nov 8
14:26:22.00 2011 ./bin/ping6
+ 128676 4755 1 root root 36832 Mon Apr 9
04:32:06.00 2012 ./bin/su
+ 128685 4755 1 root root 69096 Fri Mar 30
07:34:18.00 2012 ./bin/umount
+ 136537 2755 1 root shadow 35432 Thu Feb 9
02:44:43.00 2012 ./sbin/unix_chkpwd
1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).
The problem is the set of start paths given to find(1) in
/usr/share/checksecurity/check-setuid:
find `mount | grep -vE $CHECKSECURITY_FILTER | cut -d ' ' -f 3`
The grep -v excludes mount lines matching the pattern
CHECKSECURITY_FILTER. CHECKSECURITY_FILTER is set in
/etc/checksecurity/check-setuid.conf by alternating CS_NFSAFS, CS_TYPES,
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:
CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
^ here
The pipe and closing parenthesis after nnpfs provide an empty term in
the alternation. This matches any type and so all lines from mount(1)'s
output are excluded.
In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.
** Affects: checksecurity (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1048248
Title:
check-setuid does not check all filesystems
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1048248/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs