Ubuntu
dracut package

[MIR] dracut

Bug #2031304 reported by Benjamin Drung on 2023-08-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	dracut (Ubuntu)	Fix Committed	Undecided	Unassigned

Bug Description

[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut

[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.

To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.

dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/

The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.

[Security]
- Had 5 security issues in the past
  - https://ubuntu.com/security/CVE-2016-8637 can disclose local information
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
  - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
  - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
  - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
  - /lib/systemd/system/dracut-cmdline.service
  - /lib/systemd/system/dracut-initqueue.service
  - /lib/systemd/system/dracut-mount.service
  - /lib/systemd/system/dracut-pre-mount.service
  - /lib/systemd/system/dracut-pre-pivot.service
  - /lib/systemd/system/dracut-pre-trigger.service
  - /lib/systemd/system/dracut-pre-udev.service
  - /lib/systemd/system/dracut-shutdown-onfailure.service
  - /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
  - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package runs an autopkgtest, and is currently passing on
amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
- I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote

[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do

[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild

[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/

See original description

CVE References

Christian Ehrhardt  (paelzer) on 2023-08-15

Changed in dracut (Ubuntu):
assignee:	nobody → Christian Ehrhardt  (paelzer)

Benjamin Drung (bdrung) on 2023-08-15

description:

updated

Benjamin Drung (bdrung) on 2023-08-16

description:

updated

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-08-18:

Download full text (7.1 KiB)

Review for Source Package: dracut

[Summary]
MIR team ACK under the complex constraints listed below.

This does need a security review, or not, well ....
It really depends on the scope - the current requested scope is just
'dracut-install' which would be fine if fully separated.

Otherwise (read if later anyone wants to use more of dracut) it would need
security review as outlined in the security section below.

List of specific binary packages to be promoted to main: (?dracut-install?)
Specific binary packages built, but NOT to be promoted to main: all others

Required TODOs:
#1 - I mentioned above this would need security review and much more if
     staying as-is.
     I'm really just looking for a good compromise for you, tell me if you
     strongly dislike this :-)
     And I'm afraid that even just functionally no one had time yet to deeply
     test all the potential interactions with the many Ubuntu packages this
     could interact and depends on.
     I wanted to ask you what you would think of breaking out
     /usr/lib/dracut/dracut-install into a 'dracut-install' binary package.
     Make it a depends from dracut-cure to not break the former use-case in
     universe.
     With that in place I think we could agree on promoting just dracut-install
     to main without the full security-review needed now.
     To use more of dracut you can then take your time in further cycles.

Update:
- bdrung and I talked, we will separate dracut-install to pass for now.
- but we will enqueue it into security-review as well as having a look
at all the "later TODOs" plus evaluating dracut for Ubuntu in general.
- Overall that decouples the current urgent needs from the
good-but-ok-to-happen-later elements

Recommended TODOs:
#2 - The package should get a team bug subscriber before being promoted

Later TODOs:
This MIR is a special case as I'm reviewing with urgency and a very reduced
use-case in mind. But passing along I've found a few things which should be
looked at once we'd wan't to use more of dracut.
Most of this is "recommended" todo, but should be looked at.

#3 - for now it makes the process and build easier to not use dracut-cpio
     but since this is done for speed (which here we really talk about two
     boot-time and initramfs update time) it might be worth to experiment and
     look at the difference that this might give us.
     https://github.com/dracutdevs/dracut/commit/51d21c6b37
     https://github.com/dracutdevs/dracut/commit/afe4a6dbb7
     This would be part of "we look at the whole thing" efforts as
     we can't be sure yet if it really helps our case.

#4 - Since this generally and especially once introduced for more use case
than just dracut-install will surely hit some edge cases and break
I think this might be a case to have a look at translations.

#5 - resolve netplan interaction in bug 2019940

#6 - please demote pigz to a suggests (or even better consider to add it to main
     as the rationale behind this is speed and this should make creation
     a bit faster as well)
     This is not needed for just dracut-install if split out.

[Duplication]
The only other package in main providing similar...

Review for Source Package: dracut

[Summary]
MIR team ACK under the complex constraints listed below.

This does need a security review, or not, well ....
It really depends on the scope - the current requested scope is just
'dracut-install' which would be fine if fully separated.

Otherwise (read if later anyone wants to use more of dracut) it would need
security review as outlined in the security section below.

List of specific binary packages to be promoted to main: (?dracut-install?)
Specific binary packages built, but NOT to be promoted to main: all others

Update:
- bdrung and I talked, we will separate dracut-install to pass for now.
- but we will enqueue it into security-review as well as having a look
  at all the "later TODOs" plus evaluating dracut for Ubuntu in general.
- Overall that decouples the current urgent needs from the
  good-but-ok-to-happen-later elements

Recommended TODOs:
#2 - The package should get a team bug subscriber before being promoted

#4 - Since this generally and especially once introduced for more use case
     than just dracut-install will surely hit some edge cases and break
     I think this might be a case to have a look at translations.

#5 - resolve netplan interaction in bug 2019940

[Duplication]
The only other package in main providing similar functionality is
initramfs-tools and this request is adding dracut aware and intentional
(thanks bdrung for outlining the rationale). We will keep all the mechanisms
in place of initramfs-tools, and only use one command from dracut-core (for now)

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- "pigz" is not in main, bdrung is aware of this and already mentioned it in
   the initial report

[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None
- embedded source present in the form of src/dracut-cpio/third_party/
  But right now this isn't used as --enable-dracut-cpio

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats from an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- history of CVEs does not look concerning, but there have been a few cases
  of real issues. Now you rightfully called most of them likely to be Suse/RH
  specific, but that is a problem in this case.
  So far no one has ever inspected this deeply with Ubuntu/Debian in mind, so
  this really is worth a security review.
  And what was mostly reported were permission and symlink attacks which might
  quite likely to be easily missed, if you look at CVE-2015-0267 it wasn't
  even in the source of dracut but an interaction with other packages.
  And it installs a lot of them as dependencies. I'd not feel comfortable saying
  that there surely isn't a bad interaction of this with any of Ubuntus
  cpio kmod udev kpartx libkmod2  e2fsprogs cryptsetup dmsetup dmraid lvm2
  mdadm console-setup binutils systemd pkg-config
  Then OTOH - the "current" change pulling this in does not use any of the real
  dracut architecture and I do not want/need to block on this.
- By controlling what is present at early boot it is also indirectly involved
  with many important tasks like system authentication, security attestation
  and cryptography.

[Common blockers]
OK:
- does not FTBFS currently
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time (ok, as explained by
  the reporter that would need permissions and resources the build system
  is not meant to have)

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok
- Upstream update history is sporadic (delay, then many) but ok
- Debian/Ubuntu update history is ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
  (except a bunch known to bdrung and worked)
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (mostly shell scripts)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (only in tests)
- no use of user nobody
- no use of setuid / setgid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Problems:
- important open bugs (crashers, etc) in Debian or Ubuntu
  IMHO bug 2019940 is critical if we would use more than dracut-install
- no translation present, but none needed as this is sysadmin level. Ok since
  for now we only use the copy tool and nothing of the complexity that might
  be worth to communicate well if used

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-08-21:

Back to bdrung for the agreed steps before being able to promote.

Changed in dracut (Ubuntu):
assignee:	Christian Ehrhardt  (paelzer) → Benjamin Drung (bdrung)
status:	New → Incomplete

Revision history for this message

Benjamin Drung (bdrung) wrote on 2023-08-22:

I just uploaded dracut 059-4ubuntu2 to split out dracut-install. I'll prepare the initramfs-tools change now.

Benjamin Drung (bdrung) on 2023-08-22

Changed in dracut (Ubuntu):
assignee:	Benjamin Drung (bdrung) → nobody
status:	Incomplete → New

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-08-23:

This now correctly shows up as component mismatch.
What is missing to promote src:dracut and bin:dracut-install is the subscription of foundation-bugs to src:dracut

Changed in dracut (Ubuntu):
status:	New → In Progress
status:	In Progress → Fix Committed

Revision history for this message

Benjamin Drung (bdrung) wrote on 2023-08-23:

foundations-bugs is now subscribed to src:dracut

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-08-23:

Thanks, this is now ready for the agreed reduced set

Override component to main
dracut 059-4ubuntu2 in mantic: universe/utils -> main
Override [y|N]? y
1 publication overridden.

Override component to main
dracut-install 059-4ubuntu2 in mantic amd64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic arm64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic armhf: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic ppc64el: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic riscv64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic s390x: universe/utils/optional/100% -> main
Override [y|N]? y
6 publications overridden.

With that done, it now enters the "second phase".
Which is "how about promoting more of src:dracut".
For that bdrung will work on the list of TODOs out of the MIR review and ping back once all of them would be ready for re-evaluation.
While at that, this can enter the security review queue (assigning to ubuntu-security).
Overall the state goes back to "new" for this.

Changed in dracut (Ubuntu):
assignee:	nobody → Ubuntu Security Team (ubuntu-security)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2023-09-05:

How do we protect against / prevent "the wrong dracut packages" to be installed in a system? I could imagine someone seeing dracut on a system and then using it to build their initramfs (which I assume is an unsupported configuration).

If someone accidentally installs too many of the binary packages, what are the consequences of this action?

Is promoting one package likely to make this mistake more likely?

Thanks

Revision history for this message

Benjamin Drung (bdrung) wrote on 2023-09-06:

Installing any of the dracut binary package except the dracut binary package is not doing much on their own. You can run dracut manually to generate an initrd, but the kernel hook from initramfs-tools is used generate the initrd on kernel upgrades.

Installing the dracut binary package on the other hand will provide a kernel hook but also remove initramfs-tools (since it declares a conflict on it). In that case the users would probably get a working inird, but they will get into the unsupported territory.

Revision history for this message

Nishit Majithia (0xnishit) wrote on 2023-09-08:

Download full text (4.8 KiB)

I reviewed dracut 059-4ubuntu2 as checked into mantic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

dracut is used to create an initramfs image by copying tools and files from
an installed system and combining it with the dracut framework, usually
found in /usr/lib/dracut/modules.d.

- CVE History
  - CVE-2010-4176(high) - Ubuntu package not-affected
  - CVE-2012-4453(low) - Ubuntu package not-affected
  - CVE-2015-0794(low) - Ubuntu package not-affected
  - CVE-2016-8637(medium) - Ubuntu package not-affected
- Build-Depends (from debian/control)
  - debhelper-compat (= 12), debhelper, asciidoc-base, xsltproc, docbook-xsl,
    docbook-xml, quilt, libkmod-dev, pkg-config, cpio, kmod, udev, kpartx,
    libkmod2, e2fsprogs
- pre/post inst/rm scripts
  - There are two scripts found
  a) postinst script: This script is designed to regenerate initramfs for
     all installed Linux kernel versions on a Debian-based system. It uses
     trigger mechanisms to do so, and it can be manually invoked as well.
     This kind of script is typically used to ensure that the initramfs is
     updated when new kernels are installed or updated on the system,
     ensuring a smooth boot process.
  b) postrm script: This script is designed to clean up log files
     associated with the "dracut" process when invoked with the "purge"
     argument. It removes log files matching the pattern /var/log/dracut.log
     and then exits with a success status. This type of script can be useful
     for maintenance tasks related to package management or log file
     management.
- init scripts
  - NA
- systemd units
  - dracut-core and dracut-network
    - `/usr/lib/dracut/modules.d/` dir contains various modules used by
      dracut during the initramfs generation process. Each subdirectory
      represents a module, and these modules can add specific functionality
      or configurations to the initramfs.
    - `/lib/systemd/system/` dir contains systemd service unit files. These
      service unit files are symlinked to specific services and targets
      related to dracut. They define how systemd manages dracut related
      services during the system boot process.
    - `/usr/lib/dracut/modules.d/*` directory appears to be a dracut module
      related to systemd integration
    - `module-setup.sh` files are shell scripts used by the dracut modules
      to configure and set up specific functionalities in the initramfs.
      The scripts likely define how the modules should behave during the
      initramfs generation process.
    - Overall, these files and directories are part of the integration of
      dracut and systemd, and they contribute to the generation and
      management of the initramfs during the system boot process. Each
      module and service has a specific role in ensuring that the initramfs
      is correctly configured and functions as needed during the boot
      sequence.
- dbus services
  - NA
- setuid binaries
  - NA
- binaries in PATH
  - -rwxr-xr-x root/root 98202 2023-08-22 20:04 ./usr/bin/dracut
    -rwxr-xr-x root/root 3693 2023-08-22 20:04 ./usr/bin/dracut-catimages
    -rwxr-xr-x root/ro...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Changed in dracut (Ubuntu):
assignee:	Ubuntu Security Team (ubuntu-security) → nobody

Ubuntudracut package

[MIR] dracut

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
dracut package