Bug#654599: grub-common: Create/chmod race in grub-mkconfig can leak passwords

Vladimir 'φ-coder/phcoder' Serbinenko phcoder at gmail.com
Fri Feb 3 11:17:18 UTC 2012 

tag 654599 fixed-upstream
thanks

The suggested change has been made upstream

On 04.01.2012 16:01, Mark Wooding wrote:
> Package: grub-common
> Version: 1.99-12
> Severity: normal
>
> The output configuration is created with this code.
>
> if test "x${grub_cfg}" != "x"; then
>    rm -f ${grub_cfg}.new
>    exec>  ${grub_cfg}.new
>
>    # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
>    # firmware implementations (e.g. OFW or EFI).
>    chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
>    This means that if the generated config contains a password it is readable by everyone"
> fi
>
> Later, if the generated output doesn't contain a password entry, the
> permissions are relaxed again.
>
> This is not enough to protect password, however.  The file is initally
> created using the prevailing umask, which will likely be permissive.  If
> another user opens the file for reading after it is created but before
> its permissions are altered, the resulting file descriptor can be used
> to read the entire file once it's been written.
>
> Two correct fixes:
>
>    * Change the exec line to something like
>
> 	oldumask=$(umask); umask 077
> 	exec>  "${grub_cfg}.new"
> 	umask $oldumask
>
>      Remove the chmod stanza.
>
>    * Instead of creating the file as $grub_cfg.new,
>
> 	rm -rf "${grub_cfg}.new.d/file"
> 	mkdir -m700 "${grub_cfg}.new.d"
> 	exec>  "${grub_cfg}.new.d/file"
> 	chmod 400 "${grub_cfg}.new.d/file"
> 	mv "${grub_cfg}.new.d/file" "${grub_cfg}.new
> 	rmdir "${grub_cfg}.new.d"
>
> I strongly prefer the former.
>
> -- System Information:
> Debian Release: wheezy/sid
>    APT prefers testing
>    APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
> Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages grub-common depends on:
> ii  gettext-base        0.18.1.1-5
> ii  libc6               2.13-21
> ii  libdevmapper1.02.1  2:1.02.65-1
> ii  libfreetype6        2.4.6-2
> ii  libfuse2            2.8.6-1
> ii  zlib1g              1:1.2.3.4.dfsg-3
>
> Versions of packages grub-common recommends:
> ii  os-prober  1.49
>
> Versions of packages grub-common suggests:
> pn  desktop-base<none>
> pn  grub-emu<none>
> pn  multiboot-doc<none>
> pn  xorriso<none>
>
> -- no debconf information
>
> -- debsums errors found:
> dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 1581 package 'anag':
>   missing architecture
> dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 29969 package 'priv':
>   missing architecture
>
>
>
> _______________________________________________
> Pkg-grub-devel mailing list
> Pkg-grub-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grub-devel
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

More information about the Pkg-grub-devel mailing list