Bug#789404: pbuilder: insecure use of /tmp

Mattia Rizzolo mattia at mapreri.org
Sun Aug 9 22:31:12 UTC 2015


On Sun, Aug 09, 2015 at 09:05:12PM +0000, Thorsten Glaser wrote:
> The current “let's move the build dir” stinks much more, why
> not pre-create /tmp/build in the chroot to be writable only
> to the buildd user?

pbuilder currently creates /tmp/buildd at chroot creation time, just after
debootstrap finishes.
The creation command is a plain `mkdir -p`:
 * it's -p, it doesn't fail if it exists
 * it's not umask safe
 * it's owned by root:root (and chowned just before the build starts) ← good

so the current state of affairs is suboptimal.

Also, if the build directory is missing it's happily created by pbuilder while
extracting the tarball.

Now, is right, it could be improved by
 * forcing that directory to have certain perms
 * forcing that directory to have a certain owner
 * forcing that directory to be empty before copying the files

A random user can currently happily implant /tmp/buildd right before (if it
doesn't already exist), moving it to some other location (in this case just
under /) makes this particular issue impossible.


FYI, I have to improve the documentation, doing some more thorough tests and
then I'll ask to a friend of mine to upload.


I welcome tracking bugs for the 3 improvable points above

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540         .''`.
more about me:  http://mapreri.org                                 : :'  :
Launchpad user: https://launchpad.net/~mapreri                     `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia     `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20150809/b7c5b4c4/attachment.sig>


More information about the Pbuilder-maint mailing list