Your message dated Fri, 29 Apr 2022 10:13:20 +0200
with message-id <YmueIPb6cDd/[email protected]>
and subject line Re: Bug#1010314: ca-certificates: Executable search ordering
for OpenSSL?
has caused the Debian Bug report #1010314,
regarding ca-certificates: Executable search ordering for OpenSSL?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010314
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20210119
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
A group of auditors were reviewing the CA inclusion process
and have examined the `update-ca-certificates` and its code.
This issue is not about the PKI nor its certificate handling.
One auditor noticed that the ordering of looking for OpenSSL
executable file (`openssl`) seems ... counterintuitive?
I would imagine that the correct ordering for searching this `openssl`
executable file be something like:
1. /usr/local/sbin/openssl
2. /usr/local/bin/openssl
3. /usr/sbin/openssl
4. /usr/bin/openssl
The actually and current order by the latest `update-ca-certificates`
in looking for this `openssl` exectuable is currently:
1. $CWD/openssl
2. /usr/local/bin/openssl
3. /usr/local/sbin/openssl
4. /usr/bin/openssl
5. /usr/sbin/openssl
Please note the inversal of `sbin` and `bin`. (The ordering of
`/usr`/`/usr/local` complies with FSSTD v2.3).
ANALYSIS
If a single-user binary (such as `openssl`) is the official and resides
within the `sbin` as a single-user file, why is `update-ca-certificates`
looking to
circumvent this official binary with something outside of `sbin`?
Please note that I did not say 'system binary' here that is often
mistaken for `sbin`.
In these transitory age (of Fedora squeezing `/sbin` into `/usr/bin`)
why would an auditor want to use the `bin` firstly before the `sbin`
for finding the 'official' executable?
What gain of system integrity can be had by evoking the non-single-user
`bin`-variant before the single-user `sbin`-variant?
AUDITOR ALERT: As an unrelated note but for auditors especially in area
of CA certificates, auditors should be forewarned that the
current (`$CWD`) directory should be empty before conducting their
examination effort using `openssl`
executable by others (most notably and currently the `update-ca-certificates`).
Of course, I am not the UNIX expert here but merely a multi-decade
user of UNIX. This bug report is merely to point out if this
inversal of `sbin`/`bin` executable lookup is
the standard expected way of doing searches for a specific executable file.
-- System Information:
Debian Release: 11.3
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
(500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.16.0-5-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.77
ii openssl 1.1.1n-0+deb11u1
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information:
ca-certificates/trust_new_crts: yes
ca-certificates/title:
ca-certificates/new_crts:
ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt,
mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt,
mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt,
mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt,
mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt,
mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt,
mozilla/Atos_TrustedRoot_2011.crt,
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt,
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt,
mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt,
mozilla/Certigna.crt, mozilla/Certigna_Root_CA.crt,
mozilla/certSIGN_ROOT_CA.crt, mozilla/certSIGN_Root_CA_G2.crt,
mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt,
mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt,
mozilla/Comodo_AAA_Services_root.crt,
mozilla/COMODO_Certification_Authority.crt,
mozilla/COMODO_ECC_Certification_Authority.crt,
mozilla/COMODO_RSA_Certification_Authority.crt,
mozilla/Cybertrust_Global_Root.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt,
mozilla/DigiCert_Assured_ID_Root_G2.crt,
mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt,
mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt,
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt,
mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt,
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt,
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt,
mozilla/emSign_ECC_Root_CA_-_C3.crt, mozilla/emSign_ECC_Root_CA_-_G3.crt,
mozilla/emSign_Root_CA_-_C1.crt, mozilla/emSign_Root_CA_-_G1.crt,
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt,
mozilla/Entrust_Root_Certification_Authority.crt,
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt,
mozilla/Entrust_Root_Certification_Authority_-_G2.crt,
mozilla/Entrust_Root_Certification_Authority_-_G4.crt,
mozilla/ePKI_Root_Certification_Authority.crt,
mozilla/e-Szigno_Root_CA_2017.crt, mozilla/E-Tugra_Certification_Authority.crt,
mozilla/GDCA_TrustAUTH_R5_ROOT.crt,
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt,
mozilla/Global_Chambersign_Root_-_2008.crt,
mozilla/GlobalSign_ECC_Root_CA_-_R4.crt,
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt,
mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt,
mozilla/GlobalSign_Root_CA_-_R6.crt, mozilla/Go_Daddy_Class_2_CA.crt,
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/GTS_Root_R1.crt,
mozilla/GTS_Root_R2.crt, mozilla/GTS_Root_R3.crt, mozilla/GTS_Root_R4.crt,
mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt,
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt,
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt,
mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/Hongkong_Post_Root_CA_3.crt,
mozilla/IdenTrust_Commercial_Root_CA_1.crt,
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt,
mozilla/Izenpe.com.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt,
mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt,
mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt,
mozilla/NAVER_Global_Root_Certification_Authority.crt,
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt,
mozilla/Network_Solutions_Certificate_Authority.crt,
mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt,
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt,
mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt,
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt,
mozilla/QuoVadis_Root_CA.crt, mozilla/Secure_Global_CA.crt,
mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt,
mozilla/Security_Communication_RootCA2.crt,
mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt,
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt,
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt,
mozilla/SSL.com_Root_Certification_Authority_ECC.crt,
mozilla/SSL.com_Root_Certification_Authority_RSA.crt,
mozilla/Staat_der_Nederlanden_EV_Root_CA.crt,
mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt,
mozilla/Starfield_Class_2_CA.crt,
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt,
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt,
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt,
mozilla/SZAFIR_ROOT_CA2.crt, mozilla/TeliaSonera_Root_CA_v1.crt,
mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt,
mozilla/TrustCor_RootCert_CA-2.crt, mozilla/Trustis_FPS_Root_CA.crt,
mozilla/Trustwave_Global_Certification_Authority.crt,
mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt,
mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt,
mozilla/T-TeleSec_GlobalRoot_Class_2.crt,
mozilla/T-TeleSec_GlobalRoot_Class_3.crt,
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt,
mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt,
mozilla/UCA_Extended_Validation_Root.crt, mozilla/UCA_Global_G2_Root.crt,
mozilla/USERTrust_ECC_Certification_Authority.crt,
mozilla/USERTrust_RSA_Certification_Authority.crt,
mozilla/VeriSign_Universal_Root_Certification_Authority.crt,
mozilla/XRamp_Global_CA_Root.crt
--- End Message ---
--- Begin Message ---
Submitter rejects my mail, closing.
Cheers,
Julien
On Thu, Apr 28, 2022 at 12:38:28PM -0400, S. Egbert wrote:
> Package: ca-certificates
> Version: 20210119
> Severity: normal
> X-Debbugs-Cc: [email protected]
>
> Dear Maintainer,
>
> A group of auditors were reviewing the CA inclusion process
> and have examined the `update-ca-certificates` and its code.
>
> This issue is not about the PKI nor its certificate handling.
>
> One auditor noticed that the ordering of looking for OpenSSL
> executable file (`openssl`) seems ... counterintuitive?
>
> I would imagine that the correct ordering for searching this `openssl`
> executable file be something like:
>
> 1. /usr/local/sbin/openssl
> 2. /usr/local/bin/openssl
> 3. /usr/sbin/openssl
> 4. /usr/bin/openssl
>
>
> The actually and current order by the latest `update-ca-certificates`
> in looking for this `openssl` exectuable is currently:
>
> 1. $CWD/openssl
> 2. /usr/local/bin/openssl
> 3. /usr/local/sbin/openssl
> 4. /usr/bin/openssl
> 5. /usr/sbin/openssl
>
> Please note the inversal of `sbin` and `bin`. (The ordering of
> `/usr`/`/usr/local` complies with FSSTD v2.3).
>
> ANALYSIS
>
> If a single-user binary (such as `openssl`) is the official and resides
> within the `sbin` as a single-user file, why is `update-ca-certificates`
> looking to
> circumvent this official binary with something outside of `sbin`?
>
> Please note that I did not say 'system binary' here that is often
> mistaken for `sbin`.
>
> In these transitory age (of Fedora squeezing `/sbin` into `/usr/bin`)
> why would an auditor want to use the `bin` firstly before the `sbin`
> for finding the 'official' executable?
>
> What gain of system integrity can be had by evoking the non-single-user
> `bin`-variant before the single-user `sbin`-variant?
>
>
> AUDITOR ALERT: As an unrelated note but for auditors especially in area
> of CA certificates, auditors should be forewarned that the
> current (`$CWD`) directory should be empty before conducting their
> examination effort using `openssl`
> executable by others (most notably and currently the
> `update-ca-certificates`).
>
>
> Of course, I am not the UNIX expert here but merely a multi-decade
> user of UNIX. This bug report is merely to point out if this
> inversal of `sbin`/`bin` executable lookup is
> the standard expected way of doing searches for a specific executable file.
>
>
> -- System Information:
> Debian Release: 11.3
> APT prefers stable
> APT policy: (990, 'stable'), (500, 'stable-updates'), (500,
> 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
> (500, 'unstable'), (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.16.0-5-amd64 (SMP w/4 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_WARN
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages ca-certificates depends on:
> ii debconf [debconf-2.0] 1.5.77
> ii openssl 1.1.1n-0+deb11u1
>
> ca-certificates recommends no packages.
>
> ca-certificates suggests no packages.
>
> -- debconf information:
> ca-certificates/trust_new_crts: yes
> ca-certificates/title:
> ca-certificates/new_crts:
> ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt,
> mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt,
> mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt,
> mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt,
> mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt,
> mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt,
> mozilla/Atos_TrustedRoot_2011.crt,
> mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt,
> mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt,
> mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt,
> mozilla/Certigna.crt, mozilla/Certigna_Root_CA.crt,
> mozilla/certSIGN_ROOT_CA.crt, mozilla/certSIGN_Root_CA_G2.crt,
> mozilla/Certum_Trusted_Network_CA_2.crt,
> mozilla/Certum_Trusted_Network_CA.crt, mozilla/CFCA_EV_ROOT.crt,
> mozilla/Chambers_of_Commerce_Root_-_2008.crt,
> mozilla/Comodo_AAA_Services_root.crt,
> mozilla/COMODO_Certification_Authority.crt,
> mozilla/COMODO_ECC_Certification_Authority.crt,
> mozilla/COMODO_RSA_Certification_Authority.crt,
> mozilla/Cybertrust_Global_Root.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt,
> mozilla/DigiCert_Assured_ID_Root_G2.crt,
> mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt,
> mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt,
> mozilla/DigiCert_High_Assurance_EV_Root_CA.crt,
> mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt,
> mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt,
> mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt,
> mozilla/emSign_ECC_Root_CA_-_C3.crt, mozilla/emSign_ECC_Root_CA_-_G3.crt,
> mozilla/emSign_Root_CA_-_C1.crt, mozilla/emSign_Root_CA_-_G1.crt,
> mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt,
> mozilla/Entrust_Root_Certification_Authority.crt,
> mozilla/Entrust_Root_Certification_Authority_-_EC1.crt,
> mozilla/Entrust_Root_Certification_Authority_-_G2.crt,
> mozilla/Entrust_Root_Certification_Authority_-_G4.crt,
> mozilla/ePKI_Root_Certification_Authority.crt,
> mozilla/e-Szigno_Root_CA_2017.crt,
> mozilla/E-Tugra_Certification_Authority.crt,
> mozilla/GDCA_TrustAUTH_R5_ROOT.crt,
> mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt,
> mozilla/Global_Chambersign_Root_-_2008.crt,
> mozilla/GlobalSign_ECC_Root_CA_-_R4.crt,
> mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt,
> mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt,
> mozilla/GlobalSign_Root_CA_-_R6.crt, mozilla/Go_Daddy_Class_2_CA.crt,
> mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt,
> mozilla/GTS_Root_R1.crt, mozilla/GTS_Root_R2.crt, mozilla/GTS_Root_R3.crt,
> mozilla/GTS_Root_R4.crt,
> mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt,
> mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt,
> mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt,
> mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/Hongkong_Post_Root_CA_3.crt,
> mozilla/IdenTrust_Commercial_Root_CA_1.crt,
> mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt,
> mozilla/Izenpe.com.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt,
> mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt,
> mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt,
> mozilla/NAVER_Global_Root_Certification_Authority.crt,
> mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt,
> mozilla/Network_Solutions_Certificate_Authority.crt,
> mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt,
> mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt,
> mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt,
> mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt,
> mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt,
> mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt,
> mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_RootCA2.crt,
> mozilla/Security_Communication_Root_CA.crt,
> mozilla/Sonera_Class_2_Root_CA.crt,
> mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt,
> mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt,
> mozilla/SSL.com_Root_Certification_Authority_ECC.crt,
> mozilla/SSL.com_Root_Certification_Authority_RSA.crt,
> mozilla/Staat_der_Nederlanden_EV_Root_CA.crt,
> mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt,
> mozilla/Starfield_Class_2_CA.crt,
> mozilla/Starfield_Root_Certificate_Authority_-_G2.crt,
> mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt,
> mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt,
> mozilla/SZAFIR_ROOT_CA2.crt, mozilla/TeliaSonera_Root_CA_v1.crt,
> mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt,
> mozilla/TrustCor_RootCert_CA-2.crt, mozilla/Trustis_FPS_Root_CA.crt,
> mozilla/Trustwave_Global_Certification_Authority.crt,
> mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt,
> mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt,
> mozilla/T-TeleSec_GlobalRoot_Class_2.crt,
> mozilla/T-TeleSec_GlobalRoot_Class_3.crt,
> mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt,
> mozilla/TWCA_Global_Root_CA.crt,
> mozilla/TWCA_Root_Certification_Authority.crt,
> mozilla/UCA_Extended_Validation_Root.crt, mozilla/UCA_Global_G2_Root.crt,
> mozilla/USERTrust_ECC_Certification_Authority.crt,
> mozilla/USERTrust_RSA_Certification_Authority.crt,
> mozilla/VeriSign_Universal_Root_Certification_Authority.crt,
> mozilla/XRamp_Global_CA_Root.crt
--- End Message ---
