Security Advisory: Unprivileged user ownership of trusted repository GPG public keys storage after bootstrap
0 views
Skip to first unread message
Zhihang Wei
Jun 18, 2026, 11:24:43 AM (4 days ago) Jun 18
to isar-...@googlegroups.com, felix.mo...@siemens.com
Hello all,
A security advisory has been published at [1].
The patch fixing this issue, "[PATCH] mmdebstrap: ensure apt keystore is owned by root", is included in this series.
The patch has been tested and applied to next already.
[1] https://github.com/ilbers/isar/security/advisories/GHSA-rq66-pfw5-whqq
Best,
Zhihang
Felix Moessbauer (1):
mmdebstrap: ensure apt keystore is owned by root
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 +
1 file changed, 1 insertion(+)
--
2.39.5
A security advisory has been published at [1].
The patch fixing this issue, "[PATCH] mmdebstrap: ensure apt keystore is owned by root", is included in this series.
The patch has been tested and applied to next already.
[1] https://github.com/ilbers/isar/security/advisories/GHSA-rq66-pfw5-whqq
Best,
Zhihang
Felix Moessbauer (1):
mmdebstrap: ensure apt keystore is owned by root
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 +
1 file changed, 1 insertion(+)
--
2.39.5
Zhihang Wei
Jun 18, 2026, 11:24:43 AM (4 days ago) Jun 18
to isar-...@googlegroups.com, felix.mo...@siemens.com
From: Felix Moessbauer <felix.mo...@siemens.com>
We currently create the /etc/apt/trusted.gpg.d manually during bootstrap
setup to be able to deploy local keys. By that, the directory is owned
by the calling user (the one that executes isar) instead of root.
If the calling user's id is identical to one of an unprivileged user
inside the image, this user is able to alter existing keys and deploy
new ones, silently breaking the apt repo integrity protection.
We fix this by manually chowning the directory to root:root in the setup
step.
Fixes: 9ae41e03 ("mmdebstrap: Move preparations to hooks")
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
index cef953ef..e746f469 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -232,6 +232,7 @@ do_bootstrap() {
--setup-hook='upload "${WORKDIR}/locale" /etc/locale' \
--setup-hook='mkdir -p "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='sync-in "${WORKDIR}/trusted.gpg.d" /etc/apt/trusted.gpg.d' \
+ --setup-hook='chown -R root:root "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='install -v -m755 "${WORKDIR}/chroot-setup.sh" "$1/chroot-setup.sh"' \
--extract-hook="$extra_extract" \
--essential-hook="$extra_essential" \
--
2.39.5
We currently create the /etc/apt/trusted.gpg.d manually during bootstrap
setup to be able to deploy local keys. By that, the directory is owned
by the calling user (the one that executes isar) instead of root.
If the calling user's id is identical to one of an unprivileged user
inside the image, this user is able to alter existing keys and deploy
new ones, silently breaking the apt repo integrity protection.
We fix this by manually chowning the directory to root:root in the setup
step.
Fixes: 9ae41e03 ("mmdebstrap: Move preparations to hooks")
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
1 file changed, 1 insertion(+)
index cef953ef..e746f469 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -232,6 +232,7 @@ do_bootstrap() {
--setup-hook='upload "${WORKDIR}/locale" /etc/locale' \
--setup-hook='mkdir -p "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='sync-in "${WORKDIR}/trusted.gpg.d" /etc/apt/trusted.gpg.d' \
+ --setup-hook='chown -R root:root "$1/etc/apt/trusted.gpg.d"' \
--setup-hook='install -v -m755 "${WORKDIR}/chroot-setup.sh" "$1/chroot-setup.sh"' \
--extract-hook="$extra_extract" \
--essential-hook="$extra_essential" \
--
2.39.5
Reply all
Reply to author
Forward
0 new messages