[Bug 1803958] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Tue Nov 20 15:40:11 UTC 2018 

------- Comment From ifranzki at de.ibm.com 2018-11-20 10:32 EDT-------
Regarding fork&exec: This would not solve the PATH security problem either. So we would also need to build our own PATH environment for exec.

Regarding libcryptsetup use: Yes we could do this, but we are generating
different type of command, "cryptsetup luksFormat" and "cryptsetup
plainOpen". Implementing this based ob libcryptsetup would basically
mean to re-implement lost of what is in cryptsetup already. So we would
have to maintain it, keep it current with cryptsetup, etc. Lost of
things that we don't have to do the in the current approach. Also, these
commands are only generated when --run option is specified, otherwise we
just output the command string.

Regarding shell escape vulnerabilities: The key file name is passed
quoted to system, so that should be safe. Also if the key file name is
checked when generating the key already, so you won't be able to
generate a key with such a name. If you find a way to escape, then
please open a new Bugzilla to report that.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1803958

Title:
  [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup'

Status in Ubuntu on IBM z Systems:
  Triaged
Status in s390-tools package in Ubuntu:
  New

Bug description:
  Description:  zkey: Fails to run commands generated by 'zkey
  cryptsetup'

  Symptom:      Fails to run commands generated by 'zkey cryptsetup'.

  Problem:  When using 'zkey cryptsetup' with --run option the execution
  of the generated commands may fail, when  the executable to be run is
  located in '/sbin'.

  Solution:     Include /sbin into PATH when executing commands.

  Reproduction: Use 'zkey cryptsetup' with option --run on a distribution
                where 'cryptsetup' is located in '/sbin'.

  Upstream commit:
  https://github.com/ibm-s390-tools/s390-tools/commit/9100327092c470c2e5b5819087c8094822a1c751

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions

More information about the foundations-bugs mailing list