Secure testing team - May 2009 - Bug#526788: schroot allows a user to do a local DoS

Package: schroot
Version: 1.2.2-1
Severity: important
Tags: security patch

In script mode, schroot mounts a new tmpfs (with a default size of half
the RAM) to act as /dev/shm inside the chroot and for each created
chroot (a user can create more than one), as shown below. Those
directories are world writable, meaning that a user can fill them, and
with them RAM and swap. As soon as the whole RAM and swap have been
filled, the kernel starts OOM killing every task, leading to a crash
of the machine.

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1              38G   24G   12G  67% /
tmpfs                 2.0G   12K  2.0G   1% /lib/init/rw
udev                   10M   96K   10M   1% /dev
tmpfs                 2.0G     0  2.0G   0% /dev/shm
/dev/mapper/chome     417G  386G   31G  93% /home
tmpfs                 2.0G     0  2.0G   0%
/var/lib/schroot/mount/sid-i386-f04cabdd-7e2d-45fa-9a3c-e7824c41ac0b/dev/shm
tmpfs                 2.0G     0  2.0G   0%
/var/lib/schroot/mount/sid-c6852c65-72bc-4389-9501-6577ee035d32/dev/shm
tmpfs                 2.0G     0  2.0G   0%
/var/lib/schroot/mount/sid-af2dd3b5-8f12-49a1-b94c-f864159f5ff7/dev/shm

The correct solution here is to bind mount /dev/shm, as it is already
done for /home, /tmp and /dev/pts. The patch below does that:

--- schroot-1.2.2.orig/bin/schroot/mount-defaults
+++ schroot-1.2.2/bin/schroot/mount-defaults
@@ -5,6 +5,6 @@
 # <file system>        <mount point>   <type> 
<options>       <dump>  <pass>
 proc           /proc           proc    defaults        0       0
 /dev/pts       /dev/pts        none    rw,bind         0       0
-tmpfs          /dev/shm        tmpfs   defaults        0       0
+/dev/shm       /dev/shm        none    rw,bind         0       0
 /home          /home           none    rw,bind         0       0
 /tmp           /tmp            none    rw,bind         0      


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages schroot depends on:
ii  libboost-filesystem1.34.1   1.34.1-15    filesystem operations (portable pa
ii  libboost-program-options1.3 1.34.1-15    program options library for C++
ii  libboost-regex1.34.1        1.34.1-15    regular expression library for C++
ii  libc6                       2.9-6        GNU C Library: Shared libraries
ii  libgcc1                     1:4.4.0-2    GCC support library
ii  liblockdev1                 1.0.3-1.2+b1 Run-time shared library for lockin
ii  libpam0g                    1.0.1-5      Pluggable Authentication Modules l
ii  libstdc++6                  4.4.0-2      The GNU Standard C++ Library v3
ii  libuuid1                    1.41.3-1     universally unique id library
ii  schroot-common              1.2.2-1      common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
ii  debootstrap                   1.0.11     Bootstrap a basic Debian system
ii  lvm2                          2.02.39-6  The Linux Logical Volume Manager
ii  unzip                         5.52-12    De-archiver for .zip files

-- no debconf information