* Security Advisory: Unprivileged user ownership of trusted repository GPG public keys storage after bootstrap
@ 2026-06-18 15:24 Zhihang Wei
2026-06-18 15:24 ` [PATCH 1/1] mmdebstrap: ensure apt keystore is owned by root Zhihang Wei
0 siblings, 1 reply; 2+ messages in thread
From: Zhihang Wei @ 2026-06-18 15:24 UTC (permalink / raw)
To: isar-users; +Cc: felix.moessbauer
Hello all,
A security advisory has been published at [1].
The patch fixing this issue, "[PATCH] mmdebstrap: ensure apt keystore is owned by root", is included in this series.
The patch has been tested and applied to next already.
[1] https://github.com/ilbers/isar/security/advisories/GHSA-rq66-pfw5-whqq
Best,
Zhihang
Felix Moessbauer (1):
mmdebstrap: ensure apt keystore is owned by root
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 +
1 file changed, 1 insertion(+)
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260618152439.3884748-1-wzh%40ilbers.de.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 1/1] mmdebstrap: ensure apt keystore is owned by root
2026-06-18 15:24 Security Advisory: Unprivileged user ownership of trusted repository GPG public keys storage after bootstrap Zhihang Wei
@ 2026-06-18 15:24 ` Zhihang Wei
0 siblings, 0 replies; 2+ messages in thread
From: Zhihang Wei @ 2026-06-18 15:24 UTC (permalink / raw)
To: isar-users; +Cc: felix.moessbauer
From: Felix Moessbauer <felix.moessbauer@siemens.com>
We currently create the /etc/apt/trusted.gpg.d manually during bootstrap
setup to be able to deploy local keys. By that, the directory is owned
by the calling user (the one that executes isar) instead of root.
If the calling user's id is identical to one of an unprivileged user
inside the image, this user is able to alter existing keys and deploy
new ones, silently breaking the apt repo integrity protection.
We fix this by manually chowning the directory to root:root in the setup
step.
Fixes: 9ae41e03 ("mmdebstrap: Move preparations to hooks")
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index cef953ef..e746f469 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -232,6 +232,7 @@ do_bootstrap() {
--setup-hook='upload "${WORKDIR}/locale" /etc/locale' \
--setup-hook='mkdir -p "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='sync-in "${WORKDIR}/trusted.gpg.d" /etc/apt/trusted.gpg.d' \
+ --setup-hook='chown -R root:root "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='install -v -m755 "${WORKDIR}/chroot-setup.sh" "$1/chroot-setup.sh"' \
--extract-hook="$extra_extract" \
--essential-hook="$extra_essential" \
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260618152439.3884748-2-wzh%40ilbers.de.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-18 15:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-18 15:24 Security Advisory: Unprivileged user ownership of trusted repository GPG public keys storage after bootstrap Zhihang Wei
2026-06-18 15:24 ` [PATCH 1/1] mmdebstrap: ensure apt keystore is owned by root Zhihang Wei
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox