Bug#926641: dirs in initrd are not accessible by mandos plugin-runner

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#926641: dirs in initrd are not accessible by mandos plugin-runner

Peter Palfrader
Package: mandos-client
Version: 1.8.3-3
Severity: important

Hi!

This is a pretty minimal, fresh buster.  It has also dropbear-initramfs
installed so that may also be to blame.

During boot, mandos' plugin-runner can't run the plugins:

| ~ # /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/mandos-client: Permission denied
| /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/splashy: Permission denied
| /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/usplash: Permission denied

Turns out, lots of directories are owned by root and not accessible by
other processes, among them:
| ~ # find / -xdev -type d ! -perm +001 | grep usr | grep -v modules/
| /usr/lib64
| /usr/lib/x86_64-linux-gnu
| /usr/lib/udev
| /usr/lib/udev/rules.d
| /usr/lib/systemd
| /usr/lib/systemd/network
| /usr/lib/modules
| /usr/lib/modprobe.d
| /usr/lib/mandos/plugins.d
| /usr/lib/mandos/plugin-helpers
| /usr/lib/cryptsetup

Changing some permissions makes plugin-runner able to run its plugins:
--- mandos      2019-04-08 10:57:20.082839532 +0000
+++ /usr/share/initramfs-tools/hooks/mandos     2019-04-08 10:59:25.794634878 +0000
@@ -264,7 +264,7 @@
ยท
 # Reset some other things to sane permissions which we have
 # inadvertently affected with our umask setting.
-for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do
+for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin /usr/lib64 /usr/lib/x86_64-linux-gnu "${PLUGINDIR}" "${PLUGINHELPERDIR}"; do
     if [ -d "${DESTDIR}$dir" ]; then
        chmod a+rX "${DESTDIR}$dir"
     fi

(this is of course not a real fix, since we can't just hardcode the lib directory.)



--
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/