Bug#575838: chroots as a security risk; mitigation via permissions

[Joey Hess]

Package: debootstrap
Tags: security
Severity: normal

I've noticed that it's not uncommon for one to use debootstrap to create
a chroot, and leave the chroot lying around, and not realize that one
has introduced several setuid/setgid binaries into the system, that are
not getting regular security updates.

At least these, and often more when more packages are installed in the chroot:

205699   72 -rwsr-xr-x   1 root     root        66152 Apr 29  2008 ./bin/mount
206693   36 -rwsr-xr-x   1 root     root        32792 Dec 10  2007 ./bin/ping
206184   36 -rwsr-xr-x   1 root     root        33112 Dec  6 06:35 ./bin/su
206692   28 -rwsr-xr-x   1 root     root        28560 Dec 10  2007 ./bin/ping6
205700   48 -rwsr-xr-x   1 root     root        46040 Apr 29  2008 ./bin/umount
206359   12 -rwsr-xr-x   1 root     root        10512 Oct 18 19:24 
./usr/lib/pt_chown
206263   40 -rwsr-xr-x   1 root     root        39104 Dec  6 06:35 
./usr/bin/passwd
206260   36 -rwsr-xr-x   1 root     root        33376 Dec  6 06:35 
./usr/bin/chsh
206259   36 -rwsr-xr-x   1 root     root        36416 Dec  6 06:35 
./usr/bin/chfn
206262   56 -rwsr-xr-x   1 root     root        49536 Dec  6 06:35 
./usr/bin/gpasswd
206182   28 -rwsr-xr-x   1 root     root        28600 Dec  6 06:35 
./usr/bin/newgrp
205145   32 -rwxr-sr-x   1 root     shadow      29944 Mar 24  2009 
./sbin/unix_chkpwd
205681   12 -rwxr-sr-x   1 root     tty         11728 Apr 29  2008 
./usr/bin/wall
206261   24 -rwxr-sr-x   1 root     shadow      24376 Dec  6 06:35 
./usr/bin/expiry
206258   60 -rwxr-sr-x   1 root     shadow      55168 Dec  6 06:35 
./usr/bin/chage
206441   32 -rwxr-sr-x   1 root     crontab     32048 Sep 28  2008 
./usr/bin/crontab
205931   12 -rwxr-sr-x   1 root     tty         10928 Nov 20  2007 
./usr/bin/bsd-write

As a secondary problem, not all users in the chroot are the same as those
outside, so it's possible some of these run setuid to the wrong user
if run from outside the chroot. For example, in a more populated chroot, I see:

247252  104 -rwxr-sr-x   1 root     mlocate     99240 Jan 14  2009 
./usr/bin/ssh-agent

So, I wonder if it's worth having debootstrap mitigate this exposure?
It could just make the top of the chroot mode 700. d-i would then have
to be changed to fix the permissions of /target after debootstrap runs.
It's possible that this would break assumptions made by eg, pbuilder, about
user visibility into a chroot, I don't know.

-- 
see shy jo

signature.asc
Description: Digital signature