I reviewed schroot version 1.6.8-1 as checked into trusty. This should not be considered a full security review but rather a quick gauge of maintainability.
- schroot provides a setuid mechanism to allow unprivileged users to access predefined chroot environments, especially useful for managing build environments. - Build-Depends: cmake, debhelper, pkg-config, libpam0g-dev, uuid-dev, libboost-dev, libboost-iostreams-dev, libboost-program-options-dev, libboost-regex-dev, libboost-filesystem-dev, gettext, libcppunit-dev, groff-base, po4a, doxygen, graphviz - No cryptography - No networking - Does not daemonize - pre-, post- -install, -rm scripts appear to clean up after each other - init script can either clean up or repair schroot instances at boot, tear down schroot instances at shutdown - No dbus services - dchroot, dchroot-dsa, schroot setuid executables - No sudo fragments - No udev rules - A variety of tests are run at build time - No cronjobs - Build logs are cluttered with percentages, doxygen failures, etc., but the actual code is mostly clean, with only a few warnings - Subprocesses spawned extensively, safe APIs appear to be used - Memory management looked careful - Not much file management, looked careful - Logging looked careful - No environment variable handling - Significant privileged code operations, looked careful - No cryptography - No networking - No temporary file handling - No WebKit - No JavaScript - No PolicyKit - Clean cppcheck The code looked like idiomatic C++ -- not necessarily easy to digest in a quick glance but it looked like it has been designed well by professionals. Since chroots are not very useful as a security device, I did not consider to audit schroot as if it were a security device -- I consider schroot to be a tool of convenience, primarily for build environments. However, the schroot binaries are large setuid executables that are lacking the basic hardening tools PIE, fortify source, and immediate binding. We should enable these hardening steps to reduce the chance of exploitation of the executable -- even if the configuration may be too lenient to provide security, the tools themselves should still be hardened. (I know doko mentioned the hardening defaults, but the 1.6.8-1 build log [1] does not show Fortify or PIE support.) Before promoting to main, please enable PIE, Fortify source, and immediate binding. With this request, security team ACK for promoting schroot to main. Thanks [1]: https://launchpadlibrarian.net/161584565/buildlog_ubuntu-trusty- amd64.schroot_1.6.8-1_UPLOADING.txt.gz ** Changed in: schroot (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1259153 Title: [MIR] schroot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lockdev/+bug/1259153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
