[buildd-tools-devel] Bug#661037: process building package can escape from chroot and gain local root
Johannes Schauer
josch at debian.org
Thu Dec 24 07:58:56 UTC 2015
Control: tag -1 + patch
Hi,
On Thu, 23 Feb 2012 19:37:14 +0100 Ansgar Burchardt <ansgar at debian.org> wrote:
> When building a package with sbuild, the processes running in the chroot can
> escape from there and gain local root. This is possible as the processes in-
> and outside of the chroot environment run under the same user id and the
> outside process can run commands as root in the chroot environment.
>
> To be precise, a malicious package could for example use gdb to attach
> to the outside process and then execute something along the lines of
> system("schroot -u root -c [known-chroot-name] [some-command]"). An
> example package doing so is attached (it needs procps installed in the
> chroot):
>
> =====================================================================
> [...]
> 1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc
> 1001 12779 \_ package log for sbuild-to-root_1_amd64
> root 13988 \_ schroot -d /ëPKGBUILDDIRû -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001 13989 \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001 14041 \_ /usr/bin/make -f debian/rules build
> 1001 14042 \_ /usr/bin/perl -w /usr/bin/dh build
> 1001 14051 \_ /usr/bin/make -f debian/rules override_dh_auto_build
> 1001 14052 \_ /bin/sh ./sbuild-to-root
> 1001 14053 \_ ps axfu
> [...]
> Will try using 12772...
> Guessed chroot name: unstable-amd64-sbuild
> --- gdb-script -----------------------
> p system("cd /; schroot -u root -c unstable-amd64-sbuild ps axfu")
> detach
> --------------------------------------
> [...]
> 1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc
> 1001 12779 \_ package log for sbuild-to-root_1_amd64
> root 13988 \_ schroot -d /ëPKGBUILDDIRû -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001 13989 | \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001 14041 | \_ /usr/bin/make -f debian/rules build
> 1001 14042 | \_ /usr/bin/perl -w /usr/bin/dh build
> 1001 14051 | \_ /usr/bin/make -f debian/rules override_dh_auto_build
> 1001 14052 | \_ /bin/sh ./sbuild-to-root
> 1001 14068 | \_ gdb -batch -x gdb-script /usr/bin/perl 12772
> 1001 14072 \_ sh -c cd /; schroot -u root -c unstable-amd64-sbuild ps axfu
> root 14073 \_ schroot -u root -c unstable-amd64-sbuild ps axfu
> root 14169 \_ /bin/ps axfu
> [...]
> =====================================================================
>
> As building untrusted package is not a good idea anyway, I don't think
> this issue is grave, however it would still be nice if there was an option to
> run the processes inside the chroot under a different userid.
that's an awesome find! Thank you!
Unfortunately I'm not able to reproduce your log because when running gdb
inside the chroot I get:
gdb-script:2: Error in sourced command file:
No symbol table is loaded. Use the "file" command.
My gdb-foo is too weak to fix this problem (using the file command did not
work).
Nevertheless I now have the following patch in my local git which allows to
specify the username used inside the chroot in the sbuildrc:
--- a/lib/Sbuild/ConfBase.pm
+++ b/lib/Sbuild/ConfBase.pm
@@ -221,9 +221,11 @@ sub init_allowed_keys {
},
'BUILD_USER' => {
TYPE => 'STRING',
- GROUP => '__INTERNAL',
+ VARNAME => 'build_user',
+ GROUP => 'Core options',
DEFAULT => $username,
- HELP => 'Username used for building. Should not require setting.'
+ IGNORE_DEFAULT => 1, # don't write the username into the config
+ HELP => 'Username used for running dpkg-buildpackage. By default the user running sbuild is used within the chroot as well but that might allow a process from within the chroot to break out of the chroot by attaching to a process running outside the chroot with eg. gdb and then becoming root inside the chroot through schroot and thus be able to leave the chroot.'
},
'VERBOSE' => {
TYPE => 'NUMERIC',
I'd like to test its effect though so if you know what is wrong with your gdb
script, please share :)
Thanks!
cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20151224/11143426/attachment.sig>
More information about the Buildd-tools-devel
mailing list