[Pkg-bluetooth-maintainers] Bug#390035: bluez-utils pin file readable by all

Mikko Rapeli mikko.rapeli at iki.fi
Fri Sep 29 15:42:15 UTC 2006 

This small bug affects sarge too so I'm cc'ing security. Attached patches 
restrict the permissions for sarge and etch/sid so that non-root users can 
not read the default pin value used in Bluetooth authentication.
 
The postinst script was manually tested with fresh installs and upgrades
on both sarge and etch installations.

For the record, both upstream[1] and Fedora[2] have these pin files in
mode 600, so I see no reason for this Debian specific behaviour.

-Mikko

[1]
$ grep -A 1 BlueZ bluez-utils-2.15/hcid/Makefile.am
                echo "BlueZ" > $(DESTDIR)$(pinfile); \
                chmod 600 $(DESTDIR)$(pinfile)
[2]
$ rpm2cpio bluez-utils-2.25-12.i386.rpm | cpio -vt | grep bluetooth\/pin
-rw-------   1 root     root            6 Jul 19 22:12 ./etc/bluetooth/pin

-------------- next part --------------
diff -u bluez-utils-2.15/debian/bluez-utils.postinst bluez-utils-2.15/debian/bluez-utils.postinst
--- bluez-utils-2.15/debian/bluez-utils.postinst
+++ bluez-utils-2.15/debian/bluez-utils.postinst
@@ -3,6 +3,14 @@
 set -e
 case "$1" in
     configure)
+    		# sarge specific minor security fix:
+		# bluez-utils shipped with /etc/bluetooth/pin readable by 
+		# others so resetting its permissions
+		if [ -e /etc/bluetooth/pin ] && [ 'foo'$( find /etc/bluetooth/pin -perm +go=rwx ) != 'foo' ]; then
+			echo "Security update: removing group and other permissions from file /etc/bluetooth/pin"
+			chmod u=rw,go= /etc/bluetooth/pin
+		fi
+
     		# remove bluez-sdpd init, if present
 		if [ -f /etc/init.d/bluez-sdp ]; then
 			/usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-2.15/debian/changelog bluez-utils-2.15/debian/changelog
--- bluez-utils-2.15/debian/changelog
+++ bluez-utils-2.15/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (2.15-1.1.0sarge.mcf01) stable-security; urgency=low
+
+  * Try to set tighter /etc/bluetooth/pin permissions
+
+ -- Mikko Rapeli <mikko.rapeli at iki.fi>  Fri, 29 Sep 2006 11:26:08 +0300
+
 bluez-utils (2.15-1.1) stable-security; urgency=high
 
   * Fix command injection insecurity in hcid. See CAN-2005-2547.
diff -u bluez-utils-2.15/debian/rules bluez-utils-2.15/debian/rules
--- bluez-utils-2.15/debian/rules
+++ bluez-utils-2.15/debian/rules
@@ -10,6 +10,8 @@
 
 DEB_CONFIGURE_EXTRA_FLAGS := --enable-pcmcia --enable-dbus --enable-cups --enable-hid2hci --enable-bcm203x
 
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/pin
+
 install/bluez-utils::
 	# modutils config file
 	install -D -m 0644 debian/modutils \
@@ -31,6 +33,7 @@
 	# have a sensible pin default, the upstream one 'BlueZ'
 	# cannot be typed on a phone keypad!
 	echo "1234" > $(DEB_DESTDIR)/etc/bluetooth/pin
+	chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/pin
 
 install/bluez-pcmcia-support::
 	chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
-------------- next part --------------
diff -u bluez-utils-3.5/debian/bluez-utils.postinst bluez-utils-3.5/debian/bluez-utils.postinst
--- bluez-utils-3.5/debian/bluez-utils.postinst
+++ bluez-utils-3.5/debian/bluez-utils.postinst
@@ -15,6 +15,19 @@
 set -e
 case "$1" in
     configure)
+	# bluez-utils shipped with /etc/bluetooth/hcid.conf and 
+	# /etc/bluetooth/passkey readable by others so resetting 
+	# its permissions
+        if [ -e /etc/bluetooth/hcid.conf ] && [ 'foo'$( find /etc/bluetooth/hcid.conf -perm +go=rwx ) != 'foo' ]; then
+		echo "Security update: removing group and other permissions from file /etc/bluetooth/hcid.conf"
+		chmod u=rw,go= /etc/bluetooth/hcid.conf
+ 	fi
+
+        if [ -e /etc/bluetooth/passkeys ] && [ 'foo'$( find /etc/bluetooth/passkeys -maxdepth 0 -perm +go=rwx ) != 'foo' ]; then
+		echo "Security update: removing group and other permissions from /etc/bluetooth/passkeys*"
+		chmod -R u=rw,go= /etc/bluetooth/passkeys
+ 	fi
+
         # remove bluez-sdpd init, if present
 		if [ -f /etc/init.d/bluez-sdp ]; then
 			/usr/sbin/update-rc.d -f bluez-sdp remove
diff -u bluez-utils-3.5/debian/rules bluez-utils-3.5/debian/rules
--- bluez-utils-3.5/debian/rules
+++ bluez-utils-3.5/debian/rules
@@ -13,6 +13,7 @@
 # removed --enable-pcmcia --enable-dbus
 DEB_CONFIGURE_EXTRA_FLAGS := --disable-initscripts --enable-obex --enable-cups --enable-hid2hci 
 DEB_DESTDIR := $(CURDIR)/debian/tmp
+DEB_FIXPERMS_EXCLUDE := etc/bluetooth/*
 
 build/bluez-utils::
 	$(CC) `pkg-config --libs --cflags dbus-1` -DDBUS_API_SUBJECT_TO_CHANGE -o $(CURDIR)/debian/add-passkey $(CURDIR)/debian/add-passkey.c
@@ -43,6 +44,10 @@
 	# have a sensible pin default, the upstream one 'BlueZ'
 	# cannot be typed on a phone keypad!
 	echo "1234" > $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+	chmod u=rw,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys/default
+	# tighten pin/passkey file and directory permissions
+	chmod u=rw,go= $(DEB_DESTDIR)/etc/bluetooth/hcid.conf
+	chmod u=rwx,go= $(CURDIR)/debian/bluez-utils/etc/bluetooth/passkeys
 
 binary-install/bluez-pcmcia-support::
 	#chmod a+x $(DEB_DESTDIR)/etc/pcmcia/bluetooth
diff -u bluez-utils-3.5/debian/changelog bluez-utils-3.5/debian/changelog
--- bluez-utils-3.5/debian/changelog
+++ bluez-utils-3.5/debian/changelog
@@ -1,3 +1,9 @@
+bluez-utils (3.5-1.0etch.mcf01) unstable; urgency=low
+
+  * Try tighten passkey permissions for upgrades and new installs
+
+ -- Mikko Rapeli <mikko.rapeli at iki.fi>  Fri, 29 Sep 2006 17:11:04 +0300
+
 bluez-utils (3.5-1) unstable; urgency=medium
 
   * New upstream release (closes: #384379)

More information about the Pkg-bluetooth-maintainers mailing list