Bug#596954: bastille adds dpkg-statoverride entries that change permissions to 0000 after upgrade

2010-09-19 Thread Javier Fernández-Sanguino Peña 
severity 545052 serious
merge 596954 545052 serious
thanks

On Wed, Sep 15, 2010 at 12:41:20PM +0200, Lukas Baxa wrote:
 After that bastille ran also the dpkg-statoverride command
 to prevent resetting the permissions on system upgrades.
 However, this part fails and bastille sets the override
 permissions to !!!

Thanks for the bug report. Indeed, I have reviewed the Debian integration
with bastille and it was missing code to setup the proper permissions in
binaries. I'm preparing an upload which (hopefully) fixes this issue.

If I cannot get it to be fixed properly I will remove the Would you like to
set more restrictive permissions on the administration utilities? question 
(which defaults to  'NO').

Regards

Javier


signature.asc
Description: Digital signature

Processed (with 1 errors): Re: Bug#596954: bastille adds dpkg-statoverride entries that change permissions to 0000 after upgrade

2010-09-19 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 severity 545052 serious
Bug #545052 [bastille] bastille removes all permissions from several executables
Severity set to 'serious' from 'normal'

 merge 596954 545052 serious
Unknown command or malformed arguments to command.

 thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
545052: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545052
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596954: bastille adds dpkg-statoverride entries that change permissions to 0000 after upgrade

2010-09-15 Thread Lukas Baxa 
Package: bastille
Version: 1:3.0.9-12.1
Severity: serious

Hello,

I run the stable release of debian, i.e. lenny (debian 5.0.6).
I wanted to harden my system using bastille, so I installed
the current bastille package from unstable, that supports
also debian 5.0 (lenny). The package from stable supports
only debian releases up to 4.0 (etch).

I used bastille to tighten up the permissions of some system
binaries and bastille set the most permissions to 750
to prevent unprivileged users to use the administration
utilities or removed the suid flag, so that the binaries
cannot be used by non-root users (from ping and mount, for
instance).

After that bastille ran also the dpkg-statoverride command
to prevent resetting the permissions on system upgrades.
However, this part fails and bastille sets the override
permissions to !!!

This means that many of the administration utilitites
have their permissions set to  after upgrade and
cannot be used anymore (even by root)! This happened
to me in last upgrade to debian version 5.0.6 with ping,
for instance:
 ls -l /bin/ping*
-- 1 root root 30788 Jul 27 04:34 /bin/ping
-- 1 root root 26616 Jul 27 04:34 /bin/ping6

This is serious because many important binaries are included,
for instance init, mkfs, mount, apt-get etc. It is also
difficult to find out the reason, because the upgrade
can happen much longer than the bastille hardening process.

I'm including a part of the bastille action log for /sbin/init,
for instance:
...
{Tue Jun  8 20:00:01 2010} ACTION File exists, running
chmod 488 /sbin/init{Tue Jun  8 20:00:01 2010} ACTION change
permissions on /sbin/init from 100755 to 750
{Tue Jun  8 20:00:01 2010} ACTION chmod 750,/sbin/init;
{Tue Jun  8 20:00:01 2010} ACTION Setting permissions with
dpkg-statoverride:/usr/sbin/dpkg-statoverride --force
  --add #0 #0  /sbin/init
...

Hopefully, this can be repaired quite quickly in ustable,
because this can make the system partly unusable without
knowing about this problem.

Lukas




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org