Bug #7410: Don't allow the desktop user to pass arguments to tails-upgrade-frontend

Bug #7410

Don't allow the desktop user to pass arguments to tails-upgrade-frontend

Added by intrigeri 2014-06-13 02:42:35 . Updated 2014-07-22 22:57:04 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_1.1

Start date:

2014-06-13

Due date:

% Done:

100%

Feature Branch:

bugfix/7345-upgrade-from-iso-from-1.0-to-1.1

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Upgrader

Deliverable for:

Description

In /etc/sudoers.d/zzz_upgrade, we allow the desktop user to run tails-upgrade-frontend as the tails-upgrade-frontend user, with any arguments. Some of the available options might be dangerous. I’ve looked at it quickly and didn’t find anything scary, but still, we should lock this down, and apply something like:


--- a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
@@ -1,6 +1,6 @@
 Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar
 Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
-Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend
+Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""

 Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
 Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY SSL_NO_VERIFY"

Note that the manual test suite doc must be updated, to instruct testers to revert this change, as in this context they do need to pass arguments to t-p-s.

Subtasks

Related issues

Related to Tails - ~~Bug #7345~~: Tails 1.1~beta1 created by upgrade from ISO from a 1.0 USB does not boot

Resolved

2014-06-24

History

#1 Updated by BitingBird 2014-06-13 09:39:27

I’m not convinced. Users that dare add arguments are supposed to know what they’re doing (not a mistake). I don’t see the point if it bothers testers.

#2 Updated by intrigeri 2014-06-13 10:35:26

> I’m not convinced. Users that dare add arguments are supposed to know what they’re doing (not a mistake). I don’t see the point if it bothers testers.

It’s simply not worth taking the risk of privilege escalation,
persistent root kit implementation, and so on. It’s way easier to lock
things down with the “least privilege” principle, than to make sure
that privileges beyond what’s necessary are safe, and will ever be.

#3 Updated by intrigeri 2014-06-20 09:15:49

Status changed from Confirmed to In Progress
Target version set to Tails_1.1
% Done changed from 0 to 20
Feature Branch set to bugfix/7345-upgrade-from-iso-from-1.0-to-1.1

Implemented, not tested yet.

#4 Updated by intrigeri 2014-06-20 09:16:15

related to ~~Bug #7345~~: Tails 1.1~beta1 created by upgrade from ISO from a 1.0 USB does not boot added

#5 Updated by intrigeri 2014-06-21 23:32:05

Assignee changed from intrigeri to anonym
% Done changed from 20 to 50
QA Check set to Ready for QA

Tested, works fine. Shall be reviewed/tested/merged at the same time as ~~Bug #7345~~, as the fix was sneaked into the same branch.

#6 Updated by intrigeri 2014-06-24 10:52:26

Status changed from In Progress to Fix committed
Assignee deleted (~~anonym~~)
% Done changed from 50 to 100
QA Check changed from Ready for QA to Pass

Merged for 1.1.

#7 Updated by BitingBird 2014-07-22 22:57:04

Status changed from Fix committed to Resolved