Bug#654599: grub-common: Create/chmod race in grub-mkconfig can leak passwords

Mark Wooding mdw at distorted.org.uk
Wed Jan 4 15:01:26 UTC 2012


Package: grub-common
Version: 1.99-12
Severity: normal

The output configuration is created with this code.

if test "x${grub_cfg}" != "x"; then
  rm -f ${grub_cfg}.new
  exec > ${grub_cfg}.new

  # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
  # firmware implementations (e.g. OFW or EFI).
  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
  This means that if the generated config contains a password it is readable by everyone"
fi

Later, if the generated output doesn't contain a password entry, the
permissions are relaxed again.

This is not enough to protect password, however.  The file is initally
created using the prevailing umask, which will likely be permissive.  If
another user opens the file for reading after it is created but before
its permissions are altered, the resulting file descriptor can be used
to read the entire file once it's been written.

Two correct fixes:

  * Change the exec line to something like

	oldumask=$(umask); umask 077
	exec > "${grub_cfg}.new"
	umask $oldumask

    Remove the chmod stanza.

  * Instead of creating the file as $grub_cfg.new,

	rm -rf "${grub_cfg}.new.d/file"
	mkdir -m700 "${grub_cfg}.new.d"
	exec > "${grub_cfg}.new.d/file"
	chmod 400 "${grub_cfg}.new.d/file"
	mv "${grub_cfg}.new.d/file" "${grub_cfg}.new
	rmdir "${grub_cfg}.new.d"

I strongly prefer the former.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages grub-common depends on:
ii  gettext-base        0.18.1.1-5      
ii  libc6               2.13-21         
ii  libdevmapper1.02.1  2:1.02.65-1     
ii  libfreetype6        2.4.6-2         
ii  libfuse2            2.8.6-1         
ii  zlib1g              1:1.2.3.4.dfsg-3

Versions of packages grub-common recommends:
ii  os-prober  1.49

Versions of packages grub-common suggests:
pn  desktop-base   <none>
pn  grub-emu       <none>
pn  multiboot-doc  <none>
pn  xorriso        <none>

-- no debconf information

-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 1581 package 'anag':
 missing architecture
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 29969 package 'priv':
 missing architecture





More information about the Pkg-grub-devel mailing list