[Bug 1048248] [NEW] check-setuid does not check all filesystems
Martin Carpenter
mcarpenter at free.fr
Sun Sep 9 14:05:16 UTC 2012
Public bug reported:
Description: Ubuntu 12.04.1 LTS
Release: 12.04
ii checksecurity 2.0.14ubuntu1 basic system security checks
Symptom: check-setuid reporting results look strange/incomplete on
initial run:
--- setuid.today 2012-09-09 15:09:26.858820173 +0200
+++ /var/log/setuid/setuid.new.tmp 2012-09-09 15:09:26.858820173 +0200
@@ -0,0 +1,7 @@
+ 128575 4755 1 root root 31304 Fri Mar 2 16:35:03.0000000000 2012 ./bin/fusermount
+ 128610 4755 1 root root 94792 Fri Mar 30 07:34:18.0000000000 2012 ./bin/mount
+ 128648 4755 1 root root 35712 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping
+ 128649 4755 1 root root 40256 Tue Nov 8 14:26:22.0000000000 2011 ./bin/ping6
+ 128676 4755 1 root root 36832 Mon Apr 9 04:32:06.0000000000 2012 ./bin/su
+ 128685 4755 1 root root 69096 Fri Mar 30 07:34:18.0000000000 2012 ./bin/umount
+ 136537 2755 1 root shadow 35432 Thu Feb 9 02:44:43.0000000000 2012 ./sbin/unix_chkpwd
1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).
The problem is the set of start paths given to find(1) in
/usr/share/checksecurity/check-setuid:
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3`
The "grep -v" excludes mount lines matching the pattern
CHECKSECURITY_FILTER. CHECKSECURITY_FILTER is set in
/etc/checksecurity/check-setuid.conf by alternating CS_NFSAFS, CS_TYPES,
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:
CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
^ here
The pipe and closing parenthesis after "nnpfs" provide an empty term in
the alternation. This matches any type and so all lines from mount(1)'s
output are excluded.
In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.
** Affects: checksecurity (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1048248
Title:
check-setuid does not check all filesystems
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1048248/+subscriptions
More information about the Ubuntu-server-bugs
mailing list