Debian Bug report logs - #574510
statd running as root after remove/install

version graph

Package: nfs-common; Maintainer for nfs-common is Debian kernel team <debian-kernel@lists.debian.org>; Source for nfs-common is src:nfs-utils.

Reported by: Peter Palfrader <weasel@debian.org>

Date: Thu, 18 Mar 2010 18:03:01 UTC

Severity: serious

Tags: security

Found in version nfs-utils/1:1.1.2-6lenny1

Fixed in version nfs-utils/1:1.2.2-2

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#574510; Package nfs-common. (Thu, 18 Mar 2010 18:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Thu, 18 Mar 2010 18:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Peter Palfrader <weasel@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: statd running as root after remove/install
Date: Thu, 18 Mar 2010 18:59:26 +0100
Package: nfs-common
Version: 1:1.1.2-6lenny1
Severity: normal

Hi,

I noticed on paganini.debian.org that statd was running as root.

Apparently rpc.statd is running as the user who owns /var/lib/nfs/sm.
This is, by default, statd.  However, removing the package (but not
purgning) will also remove that directory, and then re-installing the
package will again create the directory, but now owned by root.

The postinst will not chown it to statd, even tho it probably should.

This is potentially a security issue.

Cheers,
weasel




Added tag(s) security. Request was from Martin Zobel-Helas <zobel@debian.org> to control@bugs.debian.org. (Thu, 18 Mar 2010 22:00:05 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'normal' Request was from Martin Zobel-Helas <zobel@debian.org> to control@bugs.debian.org. (Thu, 18 Mar 2010 22:00:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#574510; Package nfs-common. (Mon, 21 Jun 2010 02:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vagrant Cascadian <vagrant+debianbugs@freegeek.org>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (Mon, 21 Jun 2010 02:09:04 GMT) Full text and rfc822 format available.

Message #14 received at 574510@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant+debianbugs@freegeek.org>
To: Debian Bug Tracking System <574510@bugs.debian.org>
Subject: #574510: statd running as root after remove/install
Date: Sun, 20 Jun 2010 19:04:13 -0700
Package: nfs-common
Followup-For: Bug #574510

this patch partially addresses the issue by ensuring that the files are owned
by statd no matter what version is installed, even if a previous version was
installed.

--- nfs-common.postinst.orig    2010-06-20 18:29:11.000000000 -0700
+++ nfs-common.postinst 2010-06-20 18:28:44.000000000 -0700
@@ -23,7 +23,6 @@
                 rmdir --ignore-fail-on-non-empty /home/statd
             fi
        fi
-       if [ "$2" = "" ] || dpkg --compare-versions "$2" lt 1:1.0.7-16; then
            chown statd /var/lib/nfs/sm \
                /var/lib/nfs/sm.bak \
                /var/lib/nfs/rpc_pipefs \
@@ -31,7 +30,6 @@
             if [ -f /var/lib/nfs/state ]; then
                chown statd /var/lib/nfs/state
             fi
-       fi

        if [ "$2" != "" ] || dpkg --compare-versions "$2" lt 1:1.1.0-14; then
            if dpkg-statoverride --list /sbin/mount.nfs >/dev/null 2>&1; then

it looks like the comparison with an empty "$2" argument works for an initial
install, but not when a package was removed and later re-installed, as postinst
will be called with the previously installed version as an argument. other
parts of the postinst may be affected by similar uses of tests against "$2".

live well,
  vagrant




Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#574510; Package nfs-common. (Mon, 12 Jul 2010 21:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vagrant Cascadian <vagrant@freegeek.org>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (Mon, 12 Jul 2010 21:57:03 GMT) Full text and rfc822 format available.

Message #19 received at 574510@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@freegeek.org>
To: 574510@bugs.debian.org
Subject: NMU to fix: statd running as root after remove/install
Date: Mon, 12 Jul 2010 14:53:08 -0700
tags 574510 pending
thanks

Uploaded an NMU to DELAYED 3, with the patch previously submitted applied (with
some whitespace sanitizing) to fix this RC bug:

diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog
--- nfs-utils-1.2.2/debian/changelog	2010-04-06 02:15:29.000000000 -0700
+++ nfs-utils-1.2.2/debian/changelog	2010-07-12 13:53:04.000000000 -0700
@@ -1,3 +1,11 @@
+nfs-utils (1:1.2.2-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Ensure files under /var/lib/nfs/ are owned by statd user. 
+    Closes: #574510 
+
+ -- Vagrant Cascadian <vagrant@debian.org>  Mon, 12 Jul 2010 20:52:13 +0000
+
 nfs-utils (1:1.2.2-1) unstable; urgency=low
 
   [ Anibal Monsalve Salazar ]
diff -Nru nfs-utils-1.2.2/debian/nfs-common.postinst nfs-utils-1.2.2/debian/nfs-common.postinst
--- nfs-utils-1.2.2/debian/nfs-common.postinst	2010-01-12 19:18:00.000000000 -0800
+++ nfs-utils-1.2.2/debian/nfs-common.postinst	2010-07-12 13:51:59.000000000 -0700
@@ -23,15 +23,13 @@
                 rmdir --ignore-fail-on-non-empty /home/statd
             fi
 	fi
-	if [ "$2" = "" ] || dpkg --compare-versions "$2" lt 1:1.0.7-16; then
-	    chown statd /var/lib/nfs/sm \
+	chown statd /var/lib/nfs/sm \
 		/var/lib/nfs/sm.bak \
 		/var/lib/nfs/rpc_pipefs \
 		/var/lib/nfs
-            if [ -f /var/lib/nfs/state ]; then
+        if [ -f /var/lib/nfs/state ]; then
 	        chown statd /var/lib/nfs/state
-            fi
-	fi
+        fi
 	
 	if [ "$2" != "" ] || dpkg --compare-versions "$2" lt 1:1.1.0-14; then
 	    if dpkg-statoverride --list /sbin/mount.nfs >/dev/null 2>&1; then


live well,
  vagrant




Added tag(s) pending. Request was from Vagrant Cascadian <vagrant@freegeek.org> to control@bugs.debian.org. (Mon, 12 Jul 2010 21:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#574510; Package nfs-common. (Mon, 12 Jul 2010 23:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (Mon, 12 Jul 2010 23:36:02 GMT) Full text and rfc822 format available.

Message #26 received at 574510@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Vagrant Cascadian <vagrant@freegeek.org>, 574510@bugs.debian.org
Subject: Re: Bug#574510: NMU to fix: statd running as root after remove/install
Date: Tue, 13 Jul 2010 00:33:44 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2010-07-12 at 14:53 -0700, Vagrant Cascadian wrote:
> tags 574510 pending
> thanks
> 
> Uploaded an NMU to DELAYED 3, with the patch previously submitted applied (with
> some whitespace sanitizing) to fix this RC bug:
[...]

Thanks.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 14 Jul 2010 02:33:21 GMT) Full text and rfc822 format available.

Notification sent to Peter Palfrader <weasel@debian.org>:
Bug acknowledged by developer. (Wed, 14 Jul 2010 02:33:21 GMT) Full text and rfc822 format available.

Message #31 received at 574510-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 574510-close@bugs.debian.org
Subject: Bug#574510: fixed in nfs-utils 1:1.2.2-2
Date: Wed, 14 Jul 2010 02:32:38 +0000
Source: nfs-utils
Source-Version: 1:1.2.2-2

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive:

nfs-common_1.2.2-2_powerpc.deb
  to main/n/nfs-utils/nfs-common_1.2.2-2_powerpc.deb
nfs-kernel-server_1.2.2-2_powerpc.deb
  to main/n/nfs-utils/nfs-kernel-server_1.2.2-2_powerpc.deb
nfs-utils_1.2.2-2.debian.tar.bz2
  to main/n/nfs-utils/nfs-utils_1.2.2-2.debian.tar.bz2
nfs-utils_1.2.2-2.dsc
  to main/n/nfs-utils/nfs-utils_1.2.2-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 574510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Jul 2010 15:20:17 +1000
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source powerpc
Version: 1:1.2.2-2
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 nfs-common - NFS support files common to client and server
 nfs-kernel-server - support for NFS kernel server
Closes: 574510
Changes: 
 nfs-utils (1:1.2.2-2) unstable; urgency=low
 .
   [ Vagrant Cascadian ]
   * Ensure files under /var/lib/nfs/ are owned by statd user.
     Closes: #574510
 .
   [ Anibal Monsalve Salazar ]
   * Fix out-of-date-standards-version
Checksums-Sha1: 
 a7a1ec0dc37d472e8acfd4ede40a4ea32af4ec24 1974 nfs-utils_1.2.2-2.dsc
 8f08a8a3d671f266243f7d6fb4ba5fee42989ed3 33097 nfs-utils_1.2.2-2.debian.tar.bz2
 a06f6d544d22d95987314066b2efd51a927d44c3 165846 nfs-kernel-server_1.2.2-2_powerpc.deb
 d0b36a01c5634560be8f0f516db965b937cc5883 240230 nfs-common_1.2.2-2_powerpc.deb
Checksums-Sha256: 
 9c0cf048074f7fa6ae38aecbe531abe4ac736449eb38d5d7b907b37b44434023 1974 nfs-utils_1.2.2-2.dsc
 a415cdbaaaaa9340ab6c9a39d1b725e5ac8f0886b98db1ccbab05cb5910e4a6e 33097 nfs-utils_1.2.2-2.debian.tar.bz2
 b88b3d57247e356ed12249ad7b13a2f9aaeb00b18ba0d2bada6a4c69d2796bf7 165846 nfs-kernel-server_1.2.2-2_powerpc.deb
 a6f5f60d4b1f53d53852491e6752b965cd3ec78f48039270914ec631cde5b32d 240230 nfs-common_1.2.2-2_powerpc.deb
Files: 
 61e359674156402aa23dc59e103dc089 1974 net standard nfs-utils_1.2.2-2.dsc
 1a3e63e2aeefb8d553369ab15e5b9f5a 33097 net standard nfs-utils_1.2.2-2.debian.tar.bz2
 c26508ce02f24b6cce75845f046b98cf 165846 net optional nfs-kernel-server_1.2.2-2_powerpc.deb
 dc4118430d4468f8d7dc55aa2d496ba2 240230 net standard nfs-common_1.2.2-2_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMPR9VAAoJEHxWrP6UeJfYFucQAJJ5P8MCDsC5x1Hjuaw54NQs
dkjMIaPvZEAoQ23n3Lwh3rI3KYZ5eFOdXJ8qlzouMpSO+xJchSiUDy8gokZj6bEG
GUValvodxrAQHALL00DK/Ktn/PKLL3qOpaXtFOC89+HboKD4fYVXETtjTxjleEO1
6YUSihqdYWkHCy8/LiP/AdC2bvf/sw7yIPFMmlmvYeB0RB3la7ar2qZDqFq1wcjY
NUyvyPGhaAqIKIjxEGkxhsSU0xfI5LyXgm+qpR0zDWbRHkG+5/u06mNSVeEbRv66
LnEvyUPvtsPOQ49X+1rl8/qKGPcUzPCrQivKgJHU/Dc4IJPd6Ls2cEGlQ0RdwQ6v
CPjWDXfxErDlrz4vARkbLBt43OsArKFbiBcI8ZzPo8DY4Zc8ia4FlA1L883p1R5l
A+ap6lssYK6o6mPYsECsImo5eNoc5ZyxBKYz9RxplNNIHN66EcL/G2tc2uwgaRSv
L+HenxSW+gzuivJEfYqSL3MgN40GAfI6HPDQzBLdUg9zUTBtpQRZdwoLW3a2JBEX
xYBk1pYAjB2SaLzVEi+xb48A1x2Y0g9su/vvBSKvaEJnWnrX+d/rO07dYzfY/eBV
baiE1vNxeHEnGhwlYZvsUetikPx+9OimIrR2zcKoKYNa4d1wF1wFfH9t+dPDMZ8P
IpHJMBXF4Aiv2qbi7rL8
=YDPy
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 07:53:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:23:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.