[Bug 2031304] Re: [MIR] dracut
Seth Arnold
2031304 at bugs.launchpad.net
Tue Sep 5 23:45:33 UTC 2023
How do we protect against / prevent "the wrong dracut packages" to be
installed in a system? I could imagine someone seeing dracut on a system
and then using it to build their initramfs (which I assume is an
unsupported configuration).
If someone accidentally installs too many of the binary packages, what
are the consequences of this action?
Is promoting one package likely to make this mistake more likely?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dracut in Ubuntu.
Matching subscriptions: dracut
https://bugs.launchpad.net/bugs/2031304
Title:
[MIR] dracut
Status in dracut package in Ubuntu:
Fix Committed
Bug description:
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut
(universe) in the archive that cover the use case. initramfs-tools is
Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core:
https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next
Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package runs an autopkgtest, and is currently passing on
amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
- I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions
More information about the foundations-bugs
mailing list