The "statoverride" script appears to work on the first run for each
kernel. However, any subsequent times the `dpkg-statoverride` command
exits with errorcode 2:
$ apt-get install something-triggering-dkms
Processing triggers for linux-image-5.4.0-96-generic (5.4.0-96.109) ...
/etc/k
Looks like this workaround is working for me as new kernel versions are
released:
$ cat /etc/kernel/postinst.d/statoverride
#!/bin/sh
version="$1"
[ -z "${version}" ] && exit 0
dpkg-statoverride --update --add root root 0644 /boot/vmlinuz-${version}
That file must be executab
I'm still trying to reliably workaround this pointless bug. It seems one
needs to create a script in /etc/kernel/postinst.d to run dpkg-
stateoveride --update, but that command is not idempotent, so kernel
updates fail if you update existing versions.
--
You received this bug notification because
Trying to understand the process here. This change affects multiple
people and projects, has no real rationale, worsens security, and is
trivial to fix. Why is it still there? How do we escalate this past this
Kees Cook's misplaced stubbornness?
--
You received this bug notification because you a
this actually make ubuntu much insecure because you have to run most
tools with sudo and normally those tools recommend user NOT to run it
with root. Other distros are still readable by normal user and they
harden it via selinux.
--
You received this bug notification because you are a member of K
On Focal the correct command to (temporarily) fix the permission
problem:
sudo dpkg-statoverride --update --add root root 0644
/boot/vmlinux-$(uname -r)
However, I also feel that that making non secret information world
readable would have been the Unix way. This change made the life of a
few s
Fortunately, you can still get the current kernel quite easily:
curl $(python3 -c "import apt, os; print(apt.cache.Cache()['linux-
image-' + os.uname().release].versions[0].uri)") | dpkg-deb -x - .
--
You received this bug notification because you are a member of Kernel
Packages, which is subscr
ROLL BACK THIS DAMN CHANGE!!!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-root users
Status in linux package in Ubuntu:
Won't
Very disappointed to see this is marked as 'Wont fix'. It is pointless
security theatre and is breaking useful things. In my case it is
libguestfs. Please reconsider
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://
This forces us to run tftpd as root, to serve $CHROOT/boot to netboot clients,
so it's actually LESS secure than it was before the change.
Applying the stat workaround isn't always easy; sometimes $CHROOT/boot
comes from a read-only loopback image.
Also note that initrd.img, which may actually co
Would it be possible to make the kernel readable by a special group
(i.e. "kernel-readers"), which Ubuntu-distros could have installed by
default?
In this case it would suffice to make users member of this group, if
they want to use tools that need kernel read access.
Or would that somehow violat
A consequence of the design decision to prevent read-access for users is
that a bug has emerged in libguestfs:
https://bugs.launchpad.net/ubuntu/+source/libguestfs/+bug/1813662
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubunt
$ sudo dpkg-statoverride --add root root 0644 /boot/vmlinux-$(uname -r)
dpkg-statoverride: error: --add needs four arguments
only updated for a single kernel, and apparently not the one virt-make-
fs is using.
I then did:
sudo chmod +r /boot/vmlinuz-*
and virt-make-fs was happy.
--
You receiv
Does this mean there is now no non-root way to extract files from
filesystem images?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-
Why guestmount can't work out of box? That was a perfect userspace
option to get a loop device to test out-of-space errors.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
T
The correct override command is:
sudo dpkg-statoverride --add --update root root 0644
/boot/vmlinuz-$(uname -r)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel i
** No longer affects: hobbit-plugins (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-root users
Status in linux package in
As of 15.04 this embarrassing security theatre is still in place.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-root users
Status
Any news on this?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-root users
Status in hobbit-plugins package in Ubuntu:
In Progre
This works only if started the ./libs localy, but not via xymonclient.
There I got the error "sudo: no tty present and no askpass program
specified", but I don't know how to adapt it, that it works also with
the xymonclient.
--
You received this bug notification because you are a member of Kernel
I changed the following under Ubuntu 14.10:
File /usr/lib/xymon/client/ext/libs
69c69
< my $kernel_image_read_command = "strings '$newest_kernel_image'";
---
> my $kernel_image_read_command = "$SUDO strings '$newest_kernel_image'";
ext$ ./libs
strings: /boot/vmlinuz-3.16.0-23-generic: Permission d
Is it possible to change vmlinuz permissions so it's readable by members of
special group (libguestfs)?.
This way admins could locally fix this "by design" stupidity easily for
affected users instead of forcing maintainers for all the affected packages to
supply statoverride scripts.
--
You r
** Changed in: hobbit-plugins (Ubuntu)
Status: Confirmed => In Progress
** Changed in: hobbit-plugins (Ubuntu)
Assignee: (unassigned) => Axel Beckert (xtaran)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
ht
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: hobbit-plugins (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/
** Also affects: hobbit-plugins (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/759725
Title:
The kernel is no longer readable by non-
This also affects monitoring tools like e.g. the libs test in hobbit-
plugins which compare the running kernel version to the one on disk.
These tests don't run as root as they don't need to. Now they need
elevated privileges just do this check... :-/
--
You received this bug notification because
Since the vmlinuz-X.WY.Z-X-generic can be easily downloaded from the
Internet, this "by design" change makes Ubuntu less useful.
Ubuntu needs to make "IT things" (Linux) better for humans, not worse...
:-/
This is also afecting OpenStack... Reference:
http://docs.openstack.org/icehouse/install-gu
27 matches
Mail list logo