[buildd-tools-devel] Bug#566879: Bug#566879: Bug#566879: dchroot: does not work as root

Roger Leigh rleigh at codelibre.net
Thu Jan 28 21:34:35 UTC 2010 

tags 566879 + patch fixed-upstream pending
thanks

On Wed, Jan 27, 2010 at 09:23:33AM +0000, Roger Leigh wrote:
> On Tue, Jan 26, 2010 at 05:38:16PM +0100, Aurelien Jarno wrote:
> > On Tue, Jan 26, 2010 at 11:43:53AM +0000, Roger Leigh wrote:
> > > On Tue, Jan 26, 2010 at 01:35:50AM +0100, Aurelien Jarno wrote:
> > > Does the same occur if you run schroot as root?
> > 
> > No schroot as root works fine.
> 
> I just need to work out why it's trying user authentication in the first
> place, then I should have a fix soon.

OK, I have a fix!  (attached)

It was due to the fact that schroot and dchroot use separate
authentication methods.  schroot uses auth_pam (PAM) and
dchroot/dchroot-dsc use auth_null (no authentication--it
always fails).  Normally, authentication is skipped if one
is allowed access.  However, root falls through and is
required to undergo authentication:

  [sbuild/sbuild-session.cc, get_chroot_auth_status()]
  else // Not in any groups
    {
      if (this->authstat->get_ruid() == 0)
	status = auth::change_auth(status, auth::STATUS_USER);
      else
	status = auth::change_auth(status, auth::STATUS_FAIL);

Now, when using PAM, we succeed in running, but not because this is
hard-coded.  It's due to having

  # This allows root to use schroot without passwords (normal operation)
  auth       sufficient pam_rootok.so

in /etc/pam.d/schroot.  Since dchroot doesn't use PAM the auth_null
method makes all authentication attempts immediately fail (since user-
switching and authentication are forbidden).  I've relaxed
auth_null::authenticate to allow this if the local (chroot) and remote
(system) users match.


However... thinking about this, this does introduce a (minor) security
hole.  Hypothetically, if pam_rootok was removed from
/etc/pam.d/schroot, dchroot could be used to bypass this PAM policy
restriction.  In reality, root can gain access via other methods so
it's not /really/ that bad.

auth_null was primarily introduced to allow schroot to build on systems
(Hurd, kfreebsd) which might lack Linux-PAM.  Since dchroot/dchroot-dsa
don't allow user-switching, I moved them to use it as well, since PAM
wasn't needed.  But thinking about it, I might switch back to using PAM
unilaterally (on platforms where it is available).


This has been committed into git, but I'll need to ponder the
implications for a little bit before I upload it.


Regards,
Roger
-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20100128/0ee43b76/attachment.pgp>

More information about the Buildd-tools-devel mailing list