Bug#390035: bluez-utils pin file readable by all

Mikko Rapeli Fri, 29 Sep 2006 09:06:09 -0700

This small bug affects sarge too so I'm cc'ing security. Attached patches 
restrict the permissions for sarge and etch/sid so that non-root users can 
not read the default pin value used in Bluetooth authentication.
 
The postinst script was manually tested with fresh installs and upgrades
on both sarge and etch installations.


For the record, both upstream[1] and Fedora[2] have these pin files in
mode 600, so I see no reason for this Debian specific behaviour.

-Mikko

[1]
$ grep -A 1 BlueZ bluez-utils-2.15/hcid/Makefile.am
                echo "BlueZ" > $(DESTDIR)$(pinfile); \
                chmod 600 $(DESTDIR)$(pinfile)
[2]
$ rpm2cpio bluez-utils-2.25-12.i386.rpm | cpio -vt | grep bluetooth\/pin
-rw-------   1 root     root            6 Jul 19 22:12 ./etc/bluetooth/pin

diff -u bluez-utils-2.15/debian/bluez-utils.postinst 
bluez-utils-2.15/debian/bluez-utils.postinst
--- bluez-utils-2.15/debian/bluez-utils.postinst
+++ bluez-utils-2.15/debian/bluez-utils.postinst
@@ -3,6 +3,14 @@
 set -e
 case "$1" in
     configure)
+               # sarge specific minor security fix:
+               # bluez-utils shipped with /etc/bluetooth/pin readable by 
+               # others so resetting its permissions
+               if [ -e /etc/bluetooth/pin ] && [ 'foo'$( find 
/etc/bluetooth/pin -perm +go=rwx ) != 'foo' ]; then
+                       echo "Security update: removing group and other 
permissions from file /etc/bluetooth/pin"
+                       chmod u=rw,go= /etc/bluetooth/pin
+               fi
+
                # remove bluez-sdpd init, if present
                if [ -f /etc/init.d/bluez-sdp ]; then
                        /usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-2.15/debian/changelog bluez-utils-2.15/debian/changelog
--- bluez-utils-2.15/debian/changelog
+++ bluez-utils-2.15/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (2.15-1.1.0sarge.mcf01) stable-security; urgency=low
+
+  * Try to set tighter /etc/bluetooth/pin permissions
+
+ -- Mikko Rapeli <[EMAIL PROTECTED]>  Fri, 29 Sep 2006 11:26:08 +0300
+
 bluez-utils (2.15-1.1) stable-security; urgency=high
 
   * Fix command injection insecurity in hcid. See CAN-2005-2547.
diff -u bluez-utils-2.15/debian/rules bluez-utils-2.15/debian/rules
--- bluez-utils-2.15/debian/rules
+++ bluez-utils-2.15/debian/rules
@@ -10,6 +10,8 @@
 
 DEB_CONFIGURE_EXTRA_FLAGS := --enable-pcmcia --enable-dbus --enable-cups 
--enable-hid2hci --enable-bcm203x
 
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/pin
+
 install/bluez-utils::
        # modutils config file
        install -D -m 0644 debian/modutils \
@@ -31,6 +33,7 @@
        # have a sensible pin default, the upstream one 'BlueZ'
        # cannot be typed on a phone keypad!
        echo "1234" > $(DEB_DESTDIR)/etc/bluetooth/pin
+       chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/pin
 
 install/bluez-pcmcia-support::
        chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth

diff -u bluez-utils-3.5/debian/bluez-utils.postinst 
bluez-utils-3.5/debian/bluez-utils.postinst
--- bluez-utils-3.5/debian/bluez-utils.postinst
+++ bluez-utils-3.5/debian/bluez-utils.postinst
@@ -15,6 +15,19 @@
 set -e
 case "$1" in
     configure)
+       # bluez-utils shipped with /etc/bluetooth/hcid.conf and 
+       # /etc/bluetooth/passkey readable by others so resetting 
+       # its permissions
+        if [ -e /etc/bluetooth/hcid.conf ] && [ 'foo'$( find 
/etc/bluetooth/hcid.conf -perm +go=rwx ) != 'foo' ]; then
+               echo "Security update: removing group and other permissions 
from file /etc/bluetooth/hcid.conf"
+               chmod u=rw,go= /etc/bluetooth/hcid.conf
+       fi
+
+        if [ -e /etc/bluetooth/passkeys ] && [ 'foo'$( find 
/etc/bluetooth/passkeys -maxdepth 0 -perm +go=rwx ) != 'foo' ]; then
+               echo "Security update: removing group and other permissions 
from /etc/bluetooth/passkeys*"
+               chmod -R u=rw,go= /etc/bluetooth/passkeys
+       fi
+
         # remove bluez-sdpd init, if present
                if [ -f /etc/init.d/bluez-sdp ]; then
                        /usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-3.5/debian/rules bluez-utils-3.5/debian/rules
--- bluez-utils-3.5/debian/rules
+++ bluez-utils-3.5/debian/rules
@@ -13,6 +13,7 @@
 # removed --enable-pcmcia --enable-dbus
 DEB_CONFIGURE_EXTRA_FLAGS := --disable-initscripts --enable-obex --enable-cups 
--enable-hid2hci 
 DEB_DESTDIR := $(CURDIR)/debian/tmp
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/*
 
 build/bluez-utils::
        $(CC) `pkg-config --libs --cflags dbus-1` -DDBUS_API_SUBJECT_TO_CHANGE 
-o $(CURDIR)/debian/add-passkey $(CURDIR)/debian/add-passkey.c
@@ -43,6 +44,10 @@
        # have a sensible pin default, the upstream one 'BlueZ'
        # cannot be typed on a phone keypad!
        echo "1234" > 
$(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+       chmod u=rw,go= 
$(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+       # tighten pin/passkey file and directory permissions
+       chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/hcid.conf
+       chmod u=rwx,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys
 
 binary-install/bluez-pcmcia-support::
        #chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
diff -u bluez-utils-3.5/debian/changelog bluez-utils-3.5/debian/changelog
--- bluez-utils-3.5/debian/changelog
+++ bluez-utils-3.5/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (3.5-1.0etch.mcf01) unstable; urgency=low
+
+  * Try tighten passkey permissions for upgrades and new installs
+
+ -- Mikko Rapeli <[EMAIL PROTECTED]>  Fri, 29 Sep 2006 17:11:04 +0300
+
 bluez-utils (3.5-1) unstable; urgency=medium
 
   * New upstream release (closes: #384379)

Bug#390035: bluez-utils pin file readable by all

Reply via email to