Package: udev Version: 0.103-1 Severity: critical Tags: security Justification: root security hole
Hi there, Just noticed that udev sets the group of the hard disks to 'floppy' making them r/w to this group (actually, tiger noticed it): brw-rw---- 1 root floppy 8, 0 Dec 29 11:25 /dev/sda brw-rw---- 1 root floppy 8, 1 Dec 29 11:25 /dev/sda1 brw-rw---- 1 root floppy 8, 2 Dec 29 11:25 /dev/sda2 brw-rw---- 1 root floppy 8, 5 Dec 29 11:25 /dev/sda5 brw-rw---- 1 root floppy 8, 6 Dec 29 11:25 /dev/sda6 brw-rw---- 1 root floppy 8, 16 Dec 29 11:25 /dev/sdb brw-rw---- 1 root floppy 8, 17 Dec 29 11:25 /dev/sdb1 brw-rw---- 1 root floppy 8, 32 Dec 29 11:25 /dev/sdc brw-rw---- 1 root floppy 8, 33 Dec 29 11:25 /dev/sdc1 brw-rw---- 1 root floppy 8, 48 Dec 29 11:25 /dev/sdd brw-rw---- 1 root floppy 8, 49 Dec 29 11:25 /dev/sdd1 brw-rw---- 1 root floppy 8, 50 Dec 29 11:25 /dev/sdd2 The machine has a hardware raid controller: 0000:02:01.0 RAID bus controller: Adaptec AAC-RAID (rev 01) udevinfo gives this: looking at device '/block/sda': KERNEL=="sda" SUBSYSTEM=="block" DRIVER=="" ATTR{stat}==" 3560 800 197252 27816 2406 4639 56368 392728 0 31056 420544" ATTR{size}=="20971776" ATTR{removable}=="1" ATTR{range}=="16" ATTR{dev}=="8:0" looking at parent device '/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0/target0:0:0/0:0:0:0': KERNELS=="0:0:0:0" SUBSYSTEMS=="scsi" DRIVERS=="sd" ATTRS{ioerr_cnt}=="0x0" ATTRS{iodone_cnt}=="0x1771" ATTRS{iorequest_cnt}=="0x1771" ATTRS{iocounterbits}=="32" ATTRS{timeout}=="30" ATTRS{state}=="running" ATTRS{rev}=="V1.0" ATTRS{model}=="linux " ATTRS{vendor}=="Adaptec " ATTRS{scsi_level}=="3" ATTRS{type}=="0" ATTRS{queue_type}=="ordered" ATTRS{queue_depth}=="256" ATTRS{device_blocked}=="0" looking at parent device '/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0/target0:0:0': KERNELS=="target0:0:0" SUBSYSTEMS=="" DRIVERS=="" looking at parent device '/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0': KERNELS=="host0" SUBSYSTEMS=="" DRIVERS=="" looking at parent device '/devices/pci0000:00/0000:00:1c.0/0000:02:01.0': KERNELS=="0000:02:01.0" SUBSYSTEMS=="pci" DRIVERS=="aacraid" ATTRS{broken_parity_status}=="0" ATTRS{enable}=="1" ATTRS{modalias}=="pci:v00009005d00000285sv00009005sd00000290bc01sc04i00" ATTRS{local_cpus}=="ff" ATTRS{irq}=="169" ATTRS{class}=="0x010400" ATTRS{subsystem_device}=="0x0290" ATTRS{subsystem_vendor}=="0x9005" ATTRS{device}=="0x0285" ATTRS{vendor}=="0x9005" looking at parent device '/devices/pci0000:00/0000:00:1c.0': KERNELS=="0000:00:1c.0" SUBSYSTEMS=="pci" DRIVERS=="" ATTRS{broken_parity_status}=="0" ATTRS{enable}=="1" ATTRS{modalias}=="pci:v00008086d000025AEsv00000000sd00000000bc06sc04i00" ATTRS{local_cpus}=="ff" ATTRS{irq}=="0" ATTRS{class}=="0x060400" ATTRS{subsystem_device}=="0x0000" ATTRS{subsystem_vendor}=="0x0000" ATTRS{device}=="0x25ae" ATTRS{vendor}=="0x8086" looking at parent device '/devices/pci0000:00': KERNELS=="pci0000:00" SUBSYSTEMS=="" DRIVERS=="" Notice the 'aacraid' and 'adaptec' values that identify the hardware raid controller and the 'removable flag. I believe that this is not a misconfiguration of me and I don't have access to another machine with a hardware raid controller to test it there. I've classified this as a serious security hole, since the first user that is created when installing debian is in group 'floopy' and thus he may get superuser privileges in many ways and cause total data loss. Thanks in advance... -- Package-specific info: -- /etc/udev/rules.d/: /etc/udev/rules.d/: total 4 lrwxrwxrwx 1 root root 20 2006-02-03 14:43 020_permissions.rules -> ../permissions.rules lrwxrwxrwx 1 root root 13 2006-02-03 14:43 udev.rules -> ../udev.rules lrwxrwxrwx 1 root root 25 2006-04-16 12:47 z20_persistent-input.rules -> ../persistent-input.rules lrwxrwxrwx 1 root root 19 2006-02-03 14:43 z20_persistent.rules -> ../persistent.rules -rw-r--r-- 1 root root 605 2006-09-20 20:36 z25_persistent-net.rules lrwxrwxrwx 1 root root 33 2006-05-28 15:54 z45_persistent-net-generator.rules -> ../persistent-net-generator.rules lrwxrwxrwx 1 root root 12 2006-02-03 14:43 z50_run.rules -> ../run.rules lrwxrwxrwx 1 root root 16 2006-02-03 14:43 z55_hotplug.rules -> ../hotplug.rules lrwxrwxrwx 1 root root 29 2006-09-20 20:36 z75_cd-aliases-generator.rules -> ../cd-aliases-generator.rules -- /sys/: /sys/block/ram0/dev /sys/block/ram10/dev /sys/block/ram11/dev /sys/block/ram12/dev /sys/block/ram13/dev /sys/block/ram14/dev /sys/block/ram15/dev /sys/block/ram1/dev /sys/block/ram2/dev /sys/block/ram3/dev /sys/block/ram4/dev /sys/block/ram5/dev /sys/block/ram6/dev /sys/block/ram7/dev /sys/block/ram8/dev /sys/block/ram9/dev /sys/block/sda/dev /sys/block/sda/sda1/dev /sys/block/sda/sda2/dev /sys/block/sda/sda5/dev /sys/block/sda/sda6/dev /sys/block/sdb/dev /sys/block/sdb/sdb1/dev /sys/block/sdc/dev /sys/block/sdc/sdc1/dev /sys/block/sdd/dev /sys/block/sdd/sdd1/dev /sys/block/sdd/sdd2/dev /sys/class/graphics/fb0/dev /sys/class/i2c-dev/i2c-0/dev /sys/class/input/input0/event0/dev /sys/class/input/input1/event1/dev /sys/class/input/input2/event2/dev /sys/class/input/input2/mouse0/dev /sys/class/input/input2/ts0/dev /sys/class/input/mice/dev /sys/class/misc/hpet/dev /sys/class/misc/psaux/dev /sys/class/misc/snapshot/dev /sys/class/misc/watchdog/dev /sys/class/usb_device/usbdev1.1/dev /sys/class/usb_device/usbdev2.1/dev /sys/class/usb_device/usbdev3.1/dev /sys/devices/pci0000:00/0000:00:1d.0/usb2/2-0:1.0/usbdev2.1_ep81/dev /sys/devices/pci0000:00/0000:00:1d.0/usb2/usbdev2.1_ep00/dev /sys/devices/pci0000:00/0000:00:1d.1/usb3/3-0:1.0/usbdev3.1_ep81/dev /sys/devices/pci0000:00/0000:00:1d.1/usb3/usbdev3.1_ep00/dev /sys/devices/pci0000:00/0000:00:1d.7/usb1/1-0:1.0/usbdev1.1_ep81/dev /sys/devices/pci0000:00/0000:00:1d.7/usb1/usbdev1.1_ep00/dev -- Kernel configuration: -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.18-3-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages udev depends on: ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libselinux1 1.32-3 SELinux shared libraries ii libvolume-id0 0.103-1 libvolume_id shared library ii lsb-base 3.1-22 Linux Standard Base 3.1 init scrip -- debconf information: udev/new_kernel_needed: false udev/reboot_needed: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]