[Secure-testing-team] Bug#705861: [cowpoke]: cowpoke and Lintian with user checks by default
Niels Thykier
niels at thykier.net
Sun Apr 21 09:06:58 UTC 2013
Package: devscripts
Version: 2.12.6
Severity: normal
Tags: security
Hi,
I was informed that cowpoke might be running Lintian with higher
privileges than normal. As we are considering to able "user" checks
by default, cowpoke should be audited to avoid any ill side-effects.
As I understand the setup, cowpoke will send a build task to a remote
server (via SSH). The server will then build the package as root and
after that as "$BUILDD_USER" run lintian. $BUILDD_USER could be a
shared account (between multiple users) or even "root" on the server.
>From what I can tell, there is "probably not an issue here". The
client can already now send the server an arbitrary shell script
and runs it as the BUILDD_USER if they can use cowpoke[1]. So the
clients have to be trusted with (effective) shell access.
To exploit the user checks in Lintian, the client would have to be
able to write to the BUILDD_USER's $HOME on the server (or choose the
contents of the XDG_DATA_* variables, in which can any directory will
do)[2].
If you agree with my assertion, lets just close this as "not a
problem".
~Niels
[1] There is no way to automatically audit the script received from
the client is from actually cowpoke (and much less that it does).
[2] Technically, /etc/lintian is a possible location as well, but if
the client has write access there, Lintian will probably still be the
least of your worries.
More information about the Secure-testing-team
mailing list