1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#265982: bash: Please do not depend on passwd at all, bad in chroot

    From Jakob Bohm@1:229/2 to All on Mon Aug 16 05:50:06 2004
    From: [email protected]

    Subject: bash: Please do not depend on passwd at all, bad in chroot etc. Package: bash
    Version: 3.0-5
    Severity: normal

    bash 2.05b-2-17 added a dependency on the passwd package for the
    sole purpose of using add-shell and remove-shell to update
    /etc/shells when installing or removing bash.

    This has the unfortunate side-effect that it is no longer safe
    to install or update bash in chroot jails (like those used for
    building packaged for a different Debian dist, but others too)
    and similar stripped down installs of Debian. The problem is
    greatly increased by the fact that this is a versioned depends
    and dpkg/apt does not allow for versioned Provides.

    Also note, that in the few weeks that have passed since this
    dependency was introduced, both the passwd package and packages
    brought in by it (specifically login) have had security bugs of
    their own. This emphasizes why an Essential package such as
    bash should avoid unneeded dependencies and should not depend on
    any package containing daemons or suid executables.

    Close examination of the package contents indicates that a
    sufficient fix would be to change postrm so the call to
    remove-shell becomes conditional in the same way you already did
    for add-shell. With that small change to the postrm script, the
    dependency on passwd can be dropped completely.

    Note: I currently have a large number of chroot jails tracking
    different parts of unstable. About half of those are now stuck
    at bash-2.05b-2-16 and it would be a real pain for this problem
    to affect sarge jails on a permanent basis.


    -- System Information:
    Debian Release: 3.1
    APT prefers unstable
    APT policy: (500, 'unstable')
    Architecture: i386 (i686)
    Kernel: Linux 2.4.18jbj3.1.64
    Locale: LANG=C, LC_CTYPE=da_DK

    Versions of packages bash depends on:
    ii base-files 3.1 Debian base system miscellaneous f ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand ii passwd 1:4.0.3-30 Change and administer password and

    -- no debconf information


    --
    This message is hastily written, please ignore any unpleasant wordings,
    do not consider it a binding commitment, even if its phrasing may
    indicate so. Its contents may be deliberately or accidentally untrue. Trademarks and other things belong to their owners, if any.


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)