Bug#654599: grub-common: Create/chmod race in grub-mkconfig can leak passwords
Mark Wooding
mdw at distorted.org.uk
Wed Jan 4 15:01:26 UTC 2012
Package: grub-common
Version: 1.99-12
Severity: normal
The output configuration is created with this code.
if test "x${grub_cfg}" != "x"; then
rm -f ${grub_cfg}.new
exec > ${grub_cfg}.new
# Allow this to fail, since /boot/grub/ might need to be fatfs to support some
# firmware implementations (e.g. OFW or EFI).
chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
This means that if the generated config contains a password it is readable by everyone"
fi
Later, if the generated output doesn't contain a password entry, the
permissions are relaxed again.
This is not enough to protect password, however. The file is initally
created using the prevailing umask, which will likely be permissive. If
another user opens the file for reading after it is created but before
its permissions are altered, the resulting file descriptor can be used
to read the entire file once it's been written.
Two correct fixes:
* Change the exec line to something like
oldumask=$(umask); umask 077
exec > "${grub_cfg}.new"
umask $oldumask
Remove the chmod stanza.
* Instead of creating the file as $grub_cfg.new,
rm -rf "${grub_cfg}.new.d/file"
mkdir -m700 "${grub_cfg}.new.d"
exec > "${grub_cfg}.new.d/file"
chmod 400 "${grub_cfg}.new.d/file"
mv "${grub_cfg}.new.d/file" "${grub_cfg}.new
rmdir "${grub_cfg}.new.d"
I strongly prefer the former.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages grub-common depends on:
ii gettext-base 0.18.1.1-5
ii libc6 2.13-21
ii libdevmapper1.02.1 2:1.02.65-1
ii libfreetype6 2.4.6-2
ii libfuse2 2.8.6-1
ii zlib1g 1:1.2.3.4.dfsg-3
Versions of packages grub-common recommends:
ii os-prober 1.49
Versions of packages grub-common suggests:
pn desktop-base <none>
pn grub-emu <none>
pn multiboot-doc <none>
pn xorriso <none>
-- no debconf information
-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 1581 package 'anag':
missing architecture
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 29969 package 'priv':
missing architecture
More information about the Pkg-grub-devel
mailing list