[Secure-testing-team] Bug#615103: Converting /etc/lilo.conf to UUID scheme generates world-readable file

Edgar Sippel for.your.spam.only at web.de
Fri Feb 25 18:36:19 UTC 2011 

Package: lilo
Version: 1:23.1-1
Severity: grave
Tags: security
Justification: user security hole

Hello,

Today update of LiLo to version 1:23.1-1 also brought the conversion ot the old /dev/sdX 
paths in /etc/lilo.conf to libata compatible paths. While the installation itself went,
well, I stumbled about a warning message from lilo after parsing the newly generated conffile:

|Warning: /etc/lilo.conf should be readable only for root if using PASSWORD

When checking file permissions afterwards, I found the file being world-readable:

|blechtrottel:/etc# ls -l lilo.conf
|-rw-r--r-- 1 root root 4617 25. Feb 19:18 lilo.conf

This makes the protection via PASSWORD completely useless - if any logged in user can read 
/etc/lilo.conf, he could also change boot parameters of the system, e.g. booting his own OS.

Best regards,
Edgar

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lilo depends on:
ii  debconf [debconf-2.0]        1.5.38      Debian configuration management sy
ii  dpkg                         1.15.8.10   Debian package management system
ii  libc6                        2.11.2-11   Embedded GNU C Library: Shared lib
ii  libdevmapper1.02.1           2:1.02.48-5 The Linux Kernel Device Mapper use
ii  mbr                          1.1.10-2    Master Boot Record for IBM-PC comp

lilo recommends no packages.

Versions of packages lilo suggests:
ii  lilo-doc                      1:23.1-1   LInux LOader - Documentation for t

-- debconf information:
  liloconfig/fstab_broken:
  liloconfig/banner:
  liloconfig/use_lba32: true
  liloconfig/configuring_base:
* lilo/diskid_uuid: true
* lilo/runme: = false
  liloconfig/wipe_old_liloconf: false
  liloconfig/activate_error:
  lilo/new-config:
  lilo/link2:
  liloconfig/maintitle:
  liloconfig/mbr_error:
  liloconfig/lilo_warning:
  liloconfig/no_changes:
* lilo/add_large_memory: false
  liloconfig/liloconf_incompatible:
  lilo/bad_bitmap:
  lilo/upgrade:
  liloconfig/liloconf_exists:
* lilo/link1:
  liloconfig/use_current_lilo: true
  liloconfig/instruction:
  liloconfig/select_bitmap: /boot/debian.bmp
  liloconfig/lilo_error:
  liloconfig/odd_fstab:
  liloconfig/install_from_root_device: true
  liloconfig/make_active_partition: true
  liloconfig/install_mbr: false

More information about the Secure-testing-team mailing list