Bug#596954: bastille adds dpkg-statoverride entries that change permissions to 0000 after upgrade

Wed, 15 Sep 2010 03:42:25 -0700 

Package: bastille
Version: 1:3.0.9-12.1
Severity: serious

Hello,

I run the stable release of debian, i.e. lenny (debian 5.0.6).
I wanted to harden my system using bastille, so I installed
the current bastille package from unstable, that supports
also debian 5.0 (lenny). The package from stable supports
only debian releases up to 4.0 (etch).

I used bastille to tighten up the permissions of some system
binaries and bastille set the most permissions to 750
to prevent unprivileged users to use the administration
utilities or removed the suid flag, so that the binaries
cannot be used by non-root users (from ping and mount, for
instance).

After that bastille ran also the dpkg-statoverride command
to prevent resetting the permissions on system upgrades.
However, this part fails and bastille sets the override
permissions to 0000!!!

This means that many of the administration utilitites
have their permissions set to 0000 after upgrade and
cannot be used anymore (even by root)! This happened
to me in last upgrade to debian version 5.0.6 with ping,
for instance:
> ls -l /bin/ping*
---------- 1 root root 30788 Jul 27 04:34 /bin/ping
---------- 1 root root 26616 Jul 27 04:34 /bin/ping6

This is serious because many important binaries are included,
for instance init, mkfs, mount, apt-get etc. It is also
difficult to find out the reason, because the upgrade
can happen much longer than the bastille hardening process.

I'm including a part of the bastille action log for /sbin/init,
for instance:
...
{Tue Jun  8 20:00:01 2010} ACTION File exists, running
chmod 488 /sbin/init{Tue Jun  8 20:00:01 2010} ACTION change
permissions on /sbin/init from 100755 to 750
{Tue Jun  8 20:00:01 2010} ACTION chmod 750,"/sbin/init";
{Tue Jun  8 20:00:01 2010} ACTION Setting permissions with
dpkg-statoverride:/usr/sbin/dpkg-statoverride --force
  --add #0 #0 0000 /sbin/init
...

Hopefully, this can be repaired quite quickly in ustable,
because this can make the system partly unusable without
knowing about this problem.

Lukas




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to