Package: util-linux Version: 2.33.1-0.1 Severity: important Dear Maintainer,
Security conscious administrators like me audit our systems for setuid binaries. Since Buster, the /usr/bin/su binary installed by util-linux is failing the routine tests for integrity that I assumed all Debian packages would provide. On every Buster system I manage, I find: $ dpkg -S /usr/bin/su dpkg-query: no path found matching pattern /usr/bin/su I am not happy to find a setuid binary that isn't owned by any package. After some investigation, I discover: $ ls -l {/usr,}/bin/su -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su $ dpkg -S /bin/su util-linux: /bin/su Could util-linux be the package installing /usr/bin/su? Let's find out: $ sudo rm /usr/bin/su $ sudo dpkg --unpack /var/cache/apt/archives/util-linux_2.33.1-0.1_amd64.deb (Reading database ... 166973 files and directories currently installed.) Preparing to unpack .../util-linux_2.33.1-0.1_amd64.deb ... Unpacking util-linux (2.33.1-0.1) over (2.33.1-0.1) ... Processing triggers for mime-support (3.62) ... Processing triggers for man-db (2.8.5-2) ... $ ls -l {/usr,}/bin/su -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su Pshew, it is util-linux installing this mysterious setuid binary. I have not been hacked. Good. But this is very, very surprising: $ dpkg-deb -c /var/cache/apt/archives/util-linux_2.33.1-0.1_amd64.deb|grep 'su$' -rwsr-xr-x root/root 63568 2019-01-10 03:30 ./bin/su -rw-r--r-- root/root 2257 2019-01-10 03:30 ./etc/pam.d/su -rw-r--r-- root/root 892 2019-01-10 03:30 ./usr/share/bash-completion/completions/su There is no /usr/bin/su in the util-linux package. This should not be! Let's do one more basic test to ensure that the util-linux package intended to install /usr/bin/su: $ grep 'bin/su$' /var/lib/dpkg/info/*.md5sums /var/lib/dpkg/info/util-linux.md5sums:bb269705904f98f0b2f6258b3ab75ad9 bin/su No: there is no md5sum to audit the integrity of a mysterious setuid binary on my Debian system. I am not happy. What kind of AI will I need to add to my security audit scripts to guess that the md5sum for /usr/bin/su should match the md5sum for /bin/su which is managed by the util-linux package? One final thought: why do we need two copies of the setuid su binary? If it is in /bin/su, why do we need to waste bits by having a second copy in /usr/bin as well? Especially for setuid root binaries, shouldn't we economize by only having one copy around? In previous releases of Debian, only /bin/su existed. I assume the very existance of the /usr/bin/su setuid binary is erroneous: it should not be installed by the util-linux package. -- System Information: Debian Release: 10.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages util-linux depends on: ii fdisk 2.33.1-0.1 ii libaudit1 1:2.8.4-3 ii libblkid1 2.33.1-0.1 ii libc6 2.28-10 ii libcap-ng0 0.7.9-2 ii libmount1 2.33.1-0.1 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libsmartcols1 2.33.1-0.1 ii libsystemd0 241-7~deb10u4 ii libtinfo6 6.1+20181013-2+deb10u2 ii libudev1 241-7~deb10u4 ii libuuid1 2.33.1-0.1 ii login 1:4.5-1.1 ii zlib1g 1:1.2.11.dfsg-1 util-linux recommends no packages. Versions of packages util-linux suggests: ii dosfstools 4.1-2 ii kbd 2.0.4-4 ii util-linux-locales 2.33.1-0.1 -- no debconf information