Bug#381695: [Buildd-tools-devel] Bug#381695: dchroot: Invades users privacy in default configuration

Helge Kreutzmann debian at helgefjell.de
Mon Aug 7 13:48:05 UTC 2006


Hello Roger,
On Sun, Aug 06, 2006 at 10:34:08PM +0100, Roger Leigh wrote:
> Helge Kreutzmann <debian at helgefjell.de> writes:
> 
> > A while ago testing upgraded to 0.99.2-2, which was broken as it
> > [...] verbosly logged the action of the users of dchroot.
> 
> > Unfortunately, b) is not yet fixed.
> 
> This is the first time it has been reported.  schroot has behaved this
> way since last year (0.1.x).

Well, I've used dchroot (never heard about schroot until the recent
upgrade) since I installed this machine, approximately february 2005. 

For a while now, I follow testing. Looking at /var/log/dpkg.log* I
see:
2006-06-15 17:16:00 upgrade dchroot 0.12.1 0.13
2006-05-19 19:35:36 upgrade dchroot 0.11 0.12.1
2006-07-12 19:35:38 upgrade dchroot 0.13 0.99.2-2
2006-08-06 15:26:19 upgrade dchroot 0.99.2-2 1.0.1-1
2006-08-06 15:26:33 upgrade dchroot 1.0.1-1 1.0.1-1

The last was not to follow testing, but to get rid of the quoting bug
(i.e. a locally compiled and installed version).

> > Before upgrading to 0.99.2-2 I could use dchroot to call binaries in
> > my sid ia-32 chroot from an ordinary user account without leaving any
> > trace in system logs
> 
> 0.99.0 and 0.99.1 also behaved in the same way.  Did you upgrade from
> 0.13 and miss those releases out?

As you can see, I never used those. Did they go into testing? I cannot
remember having seen dchroot being held back. I usually track testing.

> The reason why the logging is performed is because the schroot service
> may be used to gain root access (even without a password, if so
> configured; see root-users and root-groups in schroot.conf(5) and
> switch users.  As a result, the commands being run are logged, just as
> they are with the su and sudo commands (schroot is implementing their
> functionality).
> 
> The attached patch will log the command or shell if:
> 
> * running as root
> * switching to root
> * switching to another user
> 
> But will not log if
> 
> * the user is the same (not switching) and is not root
> 
> Is this acceptable?  When running as root, or switching to another
> user, there are security concerns which make logging advisable.

Yes. 

Main main concern was simply that I could leave detailed traces in
my normal work flow (e.g. currently OpenOffice.org is not available
for amd64 in Debian, hence I need a changeroot, some other
productivity and multimedia programmes are the same). Still the act of
opening a dchroot session (as outlined in my original mail) is traced,
but I think this is acceptable, just the exact commands and arguments
should not be visible.

Root is no problem at all in an ordinary setting (he controls himself,
and if root is untrustworthy it's an entire different class of
problems), and sudo/su have been logging for ages as well, so I see no
reason why dchroot / schroot should deviate. And the security
implications are clear: If something broke I want to know who did it
(i.e. who logged in as root, used su(do) or dchroot etc.).

Thanks for your speedy reply and quick fix!

Greetings

           Helge
-- 
      Dr. Helge Kreutzmann                     debian at helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20060807/eace1105/attachment.pgp


More information about the Buildd-tools-devel mailing list