[Bug 1048248] [NEW] check-setuid does not check all filesystems

Martin Carpenter mcarpenter at free.fr
Sun Sep 9 14:05:16 UTC 2012 

Public bug reported:


Description:	Ubuntu 12.04.1 LTS
Release:	12.04
ii  checksecurity          2.0.14ubuntu1          basic system security checks

Symptom: check-setuid reporting results look strange/incomplete on
initial run:

    --- setuid.today        2012-09-09 15:09:26.858820173 +0200
    +++ /var/log/setuid/setuid.new.tmp      2012-09-09 15:09:26.858820173 +0200
    @@ -0,0 +1,7 @@
    +  128575  4755   1 root       root           31304 Fri Mar  2 16:35:03.0000000000 2012 ./bin/fusermount
    +  128610  4755   1 root       root           94792 Fri Mar 30 07:34:18.0000000000 2012 ./bin/mount
    +  128648  4755   1 root       root           35712 Tue Nov  8 14:26:22.0000000000 2011 ./bin/ping
    +  128649  4755   1 root       root           40256 Tue Nov  8 14:26:22.0000000000 2011 ./bin/ping6
    +  128676  4755   1 root       root           36832 Mon Apr  9 04:32:06.0000000000 2012 ./bin/su
    +  128685  4755   1 root       root           69096 Fri Mar 30 07:34:18.0000000000 2012 ./bin/umount
    +  136537  2755   1 root       shadow         35432 Thu Feb  9 02:44:43.0000000000 2012 ./sbin/unix_chkpwd

1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).

The problem is the set of start paths given to find(1) in
/usr/share/checksecurity/check-setuid:

    find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3`

The "grep -v" excludes mount lines matching the pattern
CHECKSECURITY_FILTER.  CHECKSECURITY_FILTER is set in
/etc/checksecurity/check-setuid.conf by alternating CS_NFSAFS, CS_TYPES,
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:

    CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
                                                   ^ here

The pipe and closing parenthesis after "nnpfs" provide an empty term in
the alternation.  This matches any type and so all lines from mount(1)'s
output are excluded.

In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.

** Affects: checksecurity (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1048248

Title:
  check-setuid does not check all filesystems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1048248/+subscriptions

More information about the Ubuntu-server-bugs mailing list