[buildd-tools-devel] Bug#661037: process building package can escape from chroot and gain local root

Johannes Schauer josch at debian.org
Thu Dec 24 07:58:56 UTC 2015 

Control: tag -1 + patch

Hi,

On Thu, 23 Feb 2012 19:37:14 +0100 Ansgar Burchardt <ansgar at debian.org> wrote:
> When building a package with sbuild, the processes running in the chroot can
> escape from there and gain local root. This is possible as the processes in-
> and outside of the chroot environment run under the same user id and the
> outside process can run commands as root in the chroot environment.
> 
> To be precise, a malicious package could for example use gdb to attach
> to the outside process and then execute something along the lines of
> system("schroot -u root -c [known-chroot-name] [some-command]").  An
> example package doing so is attached (it needs procps installed in the
> chroot):
> 
> =====================================================================
> [...]
> 1001     12772   \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc
> 1001     12779       \_ package log for sbuild-to-root_1_amd64
> root     13988       \_ schroot -d /«PKGBUILDDIR» -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001     13989           \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001     14041               \_ /usr/bin/make -f debian/rules build
> 1001     14042                   \_ /usr/bin/perl -w /usr/bin/dh build
> 1001     14051                       \_ /usr/bin/make -f debian/rules override_dh_auto_build
> 1001     14052                           \_ /bin/sh ./sbuild-to-root
> 1001     14053                               \_ ps axfu
> [...]
> Will try using 12772...
> Guessed chroot name: unstable-amd64-sbuild
> --- gdb-script -----------------------
> p system("cd /; schroot -u root -c unstable-amd64-sbuild ps axfu")
> detach
> --------------------------------------
> [...]
> 1001     12772   \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc
> 1001     12779       \_ package log for sbuild-to-root_1_amd64
> root     13988       \_ schroot -d /«PKGBUILDDIR» -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001     13989       |   \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12
> 1001     14041       |       \_ /usr/bin/make -f debian/rules build
> 1001     14042       |           \_ /usr/bin/perl -w /usr/bin/dh build
> 1001     14051       |               \_ /usr/bin/make -f debian/rules override_dh_auto_build
> 1001     14052       |                   \_ /bin/sh ./sbuild-to-root
> 1001     14068       |                       \_ gdb -batch -x gdb-script /usr/bin/perl 12772
> 1001     14072       \_ sh -c cd /; schroot -u root -c unstable-amd64-sbuild ps axfu
> root     14073           \_ schroot -u root -c unstable-amd64-sbuild ps axfu
> root     14169               \_ /bin/ps axfu
> [...]
> =====================================================================
> 
> As building untrusted package is not a good idea anyway, I don't think
> this issue is grave, however it would still be nice if there was an option to
> run the processes inside the chroot under a different userid.

that's an awesome find! Thank you!

Unfortunately I'm not able to reproduce your log because when running gdb
inside the chroot I get:

gdb-script:2: Error in sourced command file:
No symbol table is loaded.  Use the "file" command.

My gdb-foo is too weak to fix this problem (using the file command did not
work).

Nevertheless I now have the following patch in my local git which allows to
specify the username used inside the chroot in the sbuildrc:

--- a/lib/Sbuild/ConfBase.pm
+++ b/lib/Sbuild/ConfBase.pm
@@ -221,9 +221,11 @@ sub init_allowed_keys {
        },
        'BUILD_USER'                            => {
            TYPE => 'STRING',
-           GROUP => '__INTERNAL',
+           VARNAME => 'build_user',
+           GROUP => 'Core options',
            DEFAULT => $username,
-           HELP => 'Username used for building.  Should not require setting.'
+           IGNORE_DEFAULT => 1, # don't write the username into the config
+           HELP => 'Username used for running dpkg-buildpackage. By default the user running sbuild is used within the chroot as well but that might allow a process from within the chroot to break out of the chroot by attaching to a process running outside the chroot with eg. gdb and then becoming root inside the chroot through schroot and thus be able to leave the chroot.'
        },
        'VERBOSE'                               => {
            TYPE => 'NUMERIC',


I'd like to test its effect though so if you know what is wrong with your gdb
script, please share :)

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20151224/11143426/attachment.sig>

More information about the Buildd-tools-devel mailing list