[Pkg-bluetooth-maintainers] Bug#390035: bluez-utils pin file
readable by all
Mikko Rapeli
mikko.rapeli at iki.fi
Fri Sep 29 15:42:15 UTC 2006
This small bug affects sarge too so I'm cc'ing security. Attached patches
restrict the permissions for sarge and etch/sid so that non-root users can
not read the default pin value used in Bluetooth authentication.
The postinst script was manually tested with fresh installs and upgrades
on both sarge and etch installations.
For the record, both upstream[1] and Fedora[2] have these pin files in
mode 600, so I see no reason for this Debian specific behaviour.
-Mikko
[1]
$ grep -A 1 BlueZ bluez-utils-2.15/hcid/Makefile.am
echo "BlueZ" > $(DESTDIR)$(pinfile); \
chmod 600 $(DESTDIR)$(pinfile)
[2]
$ rpm2cpio bluez-utils-2.25-12.i386.rpm | cpio -vt | grep bluetooth\/pin
-rw------- 1 root root 6 Jul 19 22:12 ./etc/bluetooth/pin
-------------- next part --------------
diff -u bluez-utils-2.15/debian/bluez-utils.postinst bluez-utils-2.15/debian/bluez-utils.postinst
--- bluez-utils-2.15/debian/bluez-utils.postinst
+++ bluez-utils-2.15/debian/bluez-utils.postinst
@@ -3,6 +3,14 @@
set -e
case "$1" in
configure)
+ # sarge specific minor security fix:
+ # bluez-utils shipped with /etc/bluetooth/pin readable by
+ # others so resetting its permissions
+ if [ -e /etc/bluetooth/pin ] && [ 'foo'$( find /etc/bluetooth/pin -perm +go=rwx ) != 'foo' ]; then
+ echo "Security update: removing group and other permissions from file /etc/bluetooth/pin"
+ chmod u=rw,go= /etc/bluetooth/pin
+ fi
+
# remove bluez-sdpd init, if present
if [ -f /etc/init.d/bluez-sdp ]; then
/usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-2.15/debian/changelog bluez-utils-2.15/debian/changelog
--- bluez-utils-2.15/debian/changelog
+++ bluez-utils-2.15/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (2.15-1.1.0sarge.mcf01) stable-security; urgency=low
+
+ * Try to set tighter /etc/bluetooth/pin permissions
+
+ -- Mikko Rapeli <mikko.rapeli at iki.fi> Fri, 29 Sep 2006 11:26:08 +0300
+
bluez-utils (2.15-1.1) stable-security; urgency=high
* Fix command injection insecurity in hcid. See CAN-2005-2547.
diff -u bluez-utils-2.15/debian/rules bluez-utils-2.15/debian/rules
--- bluez-utils-2.15/debian/rules
+++ bluez-utils-2.15/debian/rules
@@ -10,6 +10,8 @@
DEB_CONFIGURE_EXTRA_FLAGS := --enable-pcmcia --enable-dbus --enable-cups --enable-hid2hci --enable-bcm203x
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/pin
+
install/bluez-utils::
# modutils config file
install -D -m 0644 debian/modutils \
@@ -31,6 +33,7 @@
# have a sensible pin default, the upstream one 'BlueZ'
# cannot be typed on a phone keypad!
echo "1234" > $(DEB_DESTDIR)/etc/bluetooth/pin
+ chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/pin
install/bluez-pcmcia-support::
chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
-------------- next part --------------
diff -u bluez-utils-3.5/debian/bluez-utils.postinst bluez-utils-3.5/debian/bluez-utils.postinst
--- bluez-utils-3.5/debian/bluez-utils.postinst
+++ bluez-utils-3.5/debian/bluez-utils.postinst
@@ -15,6 +15,19 @@
set -e
case "$1" in
configure)
+ # bluez-utils shipped with /etc/bluetooth/hcid.conf and
+ # /etc/bluetooth/passkey readable by others so resetting
+ # its permissions
+ if [ -e /etc/bluetooth/hcid.conf ] && [ 'foo'$( find /etc/bluetooth/hcid.conf -perm +go=rwx ) != 'foo' ]; then
+ echo "Security update: removing group and other permissions from file /etc/bluetooth/hcid.conf"
+ chmod u=rw,go= /etc/bluetooth/hcid.conf
+ fi
+
+ if [ -e /etc/bluetooth/passkeys ] && [ 'foo'$( find /etc/bluetooth/passkeys -maxdepth 0 -perm +go=rwx ) != 'foo' ]; then
+ echo "Security update: removing group and other permissions from /etc/bluetooth/passkeys*"
+ chmod -R u=rw,go= /etc/bluetooth/passkeys
+ fi
+
# remove bluez-sdpd init, if present
if [ -f /etc/init.d/bluez-sdp ]; then
/usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-3.5/debian/rules bluez-utils-3.5/debian/rules
--- bluez-utils-3.5/debian/rules
+++ bluez-utils-3.5/debian/rules
@@ -13,6 +13,7 @@
# removed --enable-pcmcia --enable-dbus
DEB_CONFIGURE_EXTRA_FLAGS := --disable-initscripts --enable-obex --enable-cups --enable-hid2hci
DEB_DESTDIR := $(CURDIR)/debian/tmp
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/*
build/bluez-utils::
$(CC) `pkg-config --libs --cflags dbus-1` -DDBUS_API_SUBJECT_TO_CHANGE -o $(CURDIR)/debian/add-passkey $(CURDIR)/debian/add-passkey.c
@@ -43,6 +44,10 @@
# have a sensible pin default, the upstream one 'BlueZ'
# cannot be typed on a phone keypad!
echo "1234" > $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+ chmod u=rw,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+ # tighten pin/passkey file and directory permissions
+ chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/hcid.conf
+ chmod u=rwx,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys
binary-install/bluez-pcmcia-support::
#chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
diff -u bluez-utils-3.5/debian/changelog bluez-utils-3.5/debian/changelog
--- bluez-utils-3.5/debian/changelog
+++ bluez-utils-3.5/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (3.5-1.0etch.mcf01) unstable; urgency=low
+
+ * Try tighten passkey permissions for upgrades and new installs
+
+ -- Mikko Rapeli <mikko.rapeli at iki.fi> Fri, 29 Sep 2006 17:11:04 +0300
+
bluez-utils (3.5-1) unstable; urgency=medium
* New upstream release (closes: #384379)
More information about the Pkg-bluetooth-maintainers
mailing list