Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
Package: udev
Version: 0.103-1
Severity: critical
Tags: security
Justification: root security hole
Hi there,
Just noticed that udev sets the group of the hard disks to 'floppy'
making them r/w to this group (actually, tiger noticed it):
brw-rw 1 root floppy 8, 0 Dec 29 11:25 /dev/sda
brw-rw 1 root floppy 8, 1 Dec 29 11:25 /dev/sda1
brw-rw 1 root floppy 8, 2 Dec 29 11:25 /dev/sda2
brw-rw 1 root floppy 8, 5 Dec 29 11:25 /dev/sda5
brw-rw 1 root floppy 8, 6 Dec 29 11:25 /dev/sda6
brw-rw 1 root floppy 8, 16 Dec 29 11:25 /dev/sdb
brw-rw 1 root floppy 8, 17 Dec 29 11:25 /dev/sdb1
brw-rw 1 root floppy 8, 32 Dec 29 11:25 /dev/sdc
brw-rw 1 root floppy 8, 33 Dec 29 11:25 /dev/sdc1
brw-rw 1 root floppy 8, 48 Dec 29 11:25 /dev/sdd
brw-rw 1 root floppy 8, 49 Dec 29 11:25 /dev/sdd1
brw-rw 1 root floppy 8, 50 Dec 29 11:25 /dev/sdd2
The machine has a hardware raid controller:
:02:01.0 RAID bus controller: Adaptec AAC-RAID (rev 01)
udevinfo gives this:
looking at device '/block/sda':
KERNEL=="sda"
SUBSYSTEM=="block"
DRIVER==""
ATTR{stat}=="3560 800 19725227816 2406 463956368
392728031056 420544"
ATTR{size}=="20971776"
ATTR{removable}=="1"
ATTR{range}=="16"
ATTR{dev}=="8:0"
looking at parent device
'/devices/pci:00/:00:1c.0/:02:01.0/host0/target0:0:0/0:0:0:0':
KERNELS=="0:0:0:0"
SUBSYSTEMS=="scsi"
DRIVERS=="sd"
ATTRS{ioerr_cnt}=="0x0"
ATTRS{iodone_cnt}=="0x1771"
ATTRS{iorequest_cnt}=="0x1771"
ATTRS{iocounterbits}=="32"
ATTRS{timeout}=="30"
ATTRS{state}=="running"
ATTRS{rev}=="V1.0"
ATTRS{model}=="linux "
ATTRS{vendor}=="Adaptec "
ATTRS{scsi_level}=="3"
ATTRS{type}=="0"
ATTRS{queue_type}=="ordered"
ATTRS{queue_depth}=="256"
ATTRS{device_blocked}=="0"
looking at parent device
'/devices/pci:00/:00:1c.0/:02:01.0/host0/target0:0:0':
KERNELS=="target0:0:0"
SUBSYSTEMS==""
DRIVERS==""
looking at parent device
'/devices/pci:00/:00:1c.0/:02:01.0/host0':
KERNELS=="host0"
SUBSYSTEMS==""
DRIVERS==""
looking at parent device '/devices/pci:00/:00:1c.0/:02:01.0':
KERNELS==":02:01.0"
SUBSYSTEMS=="pci"
DRIVERS=="aacraid"
ATTRS{broken_parity_status}=="0"
ATTRS{enable}=="1"
ATTRS{modalias}=="pci:v9005d0285sv9005sd0290bc01sc04i00"
ATTRS{local_cpus}=="ff"
ATTRS{irq}=="169"
ATTRS{class}=="0x010400"
ATTRS{subsystem_device}=="0x0290"
ATTRS{subsystem_vendor}=="0x9005"
ATTRS{device}=="0x0285"
ATTRS{vendor}=="0x9005"
looking at parent device '/devices/pci:00/:00:1c.0':
KERNELS==":00:1c.0"
SUBSYSTEMS=="pci"
DRIVERS==""
ATTRS{broken_parity_status}=="0"
ATTRS{enable}=="1"
ATTRS{modalias}=="pci:v8086d25AEsvsdbc06sc04i00"
ATTRS{local_cpus}=="ff"
ATTRS{irq}=="0"
ATTRS{class}=="0x060400"
ATTRS{subsystem_device}=="0x"
ATTRS{subsystem_vendor}=="0x"
ATTRS{device}=="0x25ae"
ATTRS{vendor}=="0x8086"
looking at parent device '/devices/pci:00':
KERNELS=="pci:00"
SUBSYSTEMS==""
DRIVERS==""
Notice the 'aacraid' and 'adaptec' values that identify the hardware
raid controller and the 'removable flag. I believe that this is not
a misconfiguration of me and I don't have access to another machine
with a hardware raid controller to test it there.
I've classified this as a serious security hole, since the first user
that is created when installing debian is in group 'floopy' and thus
he may get superuser privileges in many ways and cause total data
loss.
Thanks in advance...
-- Package-specific info:
-- /etc/udev/rules.d/:
/etc/udev/rules.d/:
total 4
lrwxrwxrwx 1 root root 20 2006-02-03 14:43 020_permissions.rules ->
../permissions.rules
lrwxrwxrwx 1 root root 13 2006-02-03 14:43 udev.rules -> ../udev.rules
lrwxrwxrwx 1 root root 25 2006-04-16 12:47 z20_persistent-input.rules ->
../persistent-input.rules
lrwxrwxrwx 1 root root 19 2006-02-03 14:43 z20_persistent.rules ->
../persistent.rules
-rw-r--r-- 1 root root 605 2006-09-20 20:36 z25_persistent-net.rules
lrwxrwxrwx 1 root root 33 2006-05-28 15:54 z45_persistent-net-generator.rules
-> ../persistent-net-generator.rules
lrwxrwxrwx 1 root root 12 2006-02-03 14:43 z50_run.rules -> ../run.rules
lrwxrwxrwx 1 root root 16 2006-02-03 14:43 z55_hotplug.rules ->
../hotplug.rules
lrwxrwxrwx 1 root root 29 2006-09-20 20:36 z75_cd-aliases-generator.rules ->
../cd-aliases-generator.rules
-- /sys/:
/sys/block/ram0/dev
/sys/block/ram10/dev
/sys/block/ram11/dev
/sys/block/ram12/dev
/sys/block/ram13/dev
/sys/block/ram14/dev
/sys/block/ram15/dev
/sys/block/ram1/dev
/sys/block/ram2/dev
/sys/block/ram3/dev
/sys/block/ram4/dev
/sys/block/ram5/dev
/sys/block/ram6/dev
/sys/block/ram7/dev
/sy
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
reassign 404927 linux-2.6 thanks On Dec 29, Stefanos Harhalakis <[EMAIL PROTECTED]> wrote: > Notice the 'aacraid' and 'adaptec' values that identify the hardware > raid controller and the 'removable flag. I believe that this is not > a misconfiguration of me and I don't have access to another machine > with a hardware raid controller to test it there. Blame the kernel then, udev just believes the information provided. -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Fri, Dec 29, 2006 at 11:29:59AM +0100, Marco d'Itri wrote: > reassign 404927 linux-2.6 > thanks > > On Dec 29, Stefanos Harhalakis <[EMAIL PROTECTED]> wrote: > > > Notice the 'aacraid' and 'adaptec' values that identify the hardware > > raid controller and the 'removable flag. I believe that this is not > > a misconfiguration of me and I don't have access to another machine > > with a hardware raid controller to test it there. > Blame the kernel then, udev just believes the information provided. hey Marco, Can you elaborate on what you believe the kernel is doing incorrectly? My first guess would be the setting of the removable flag, but aacraid claims to be setting this to prevent partition table caching - do you believe that to be an incorrect usage? An explanation for it is here: http://www.ussg.iu.edu/hypermail/linux/kernel/0602.2/1231.html It seems like there is precedence for workarounds for older kernels in permissions.rules, so would it be appropriate to add an override of the default floppy rule for aacraid devices for compatability even if this is a kernel bug? -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Jan 03, dann frazier <[EMAIL PROTECTED]> wrote: > Can you elaborate on what you believe the kernel is doing > incorrectly? My first guess would be the setting of the removable > flag, but aacraid claims to be setting this to prevent partition table > caching - do you believe that to be an incorrect usage? Yes, this looks like an abuse of the interface to me. > It seems like there is precedence for workarounds for older kernels in > permissions.rules, so would it be appropriate to add an override of > the default floppy rule for aacraid devices for compatability even if > this is a kernel bug? There are workarounds for bugs which are going to be fixed, but looks like this is going to stay forever... Are there other drivers in this situation? -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Wed, Jan 03, 2007 at 11:49:51AM +0100, Marco d'Itri wrote: > Are there other drivers in this situation? hey Marco, Mark Salyzyn's reply on LKML suggests that this problem maybe more widespread and possibly difficult audit on the kernel side. Could we do something like change the default block/removable device to GROUP=disk, and override fd type devices w/ GROUP=floppy? This seems like a more secure default for etch, given the circumstances. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Jan 04, dann frazier <[EMAIL PROTECTED]> wrote: > Mark Salyzyn's reply on LKML suggests that this problem maybe more > widespread and possibly difficult audit on the kernel side. Could > we do something like change the default block/removable device to > GROUP=disk, and override fd type devices w/ GROUP=floppy? This seems > like a more secure default for etch, given the circumstances. There is much more than "fd type devices" which need to be removable so if this needs to be worked around in udev I'd rather use an explicit list of broken drivers. BTW, I understand that HAL and maybe pmount will show the same issue. I also wonder why no other distribution noticed this. -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Jan 04, dann frazier <[EMAIL PROTECTED]> wrote: > Right - but what I'm suggesting is that we change the default group > for removable block devices from "floppy" to "disk". > e.g., something like this untested patch: No way. Look at the reactions to these bugs: #402622, #402649, #321642 > > BTW, I understand that HAL and maybe pmount will show the same issue. > ok - how so? I think they both trust the kernel about knowing if a device is removable or not. > > I also wonder why no other distribution noticed this. > Its probably worth asking on the udev list - you want me to do this? OK. -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Thu, Jan 04, 2007 at 05:13:44PM +0100, Marco d'Itri wrote:
> On Jan 04, dann frazier <[EMAIL PROTECTED]> wrote:
>
> > Mark Salyzyn's reply on LKML suggests that this problem maybe more
> > widespread and possibly difficult audit on the kernel side. Could
> > we do something like change the default block/removable device to
> > GROUP=disk, and override fd type devices w/ GROUP=floppy? This seems
> > like a more secure default for etch, given the circumstances.
> There is much more than "fd type devices" which need to be removable so
> if this needs to be worked around in udev
Right - but what I'm suggesting is that we change the default group
for removable block devices from "floppy" to "disk".
e.g., something like this untested patch:
--- permissions.rules.orig 2007-01-04 09:21:29.0 -0700
+++ permissions.rules 2007-01-04 09:22:30.0 -0700
@@ -11,7 +11,10 @@
# default permissions for block devices
SUBSYSTEM=="block",GROUP="disk"
-SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="floppy"
+SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="disk"
+
+# floppy devices
+KERNEL=="fd[0-9]*",GROUP="floppy"
# IDE devices
KERNEL=="hd[a-z]|pcd[0-9]*", DRIVERS=="ide-cdrom|pcd", \
That seems like a far more secure default for Debian, given that no
users are in the "disk" group by default.
> I'd rather use an explicit list of broken drivers.
In the lifetime of etch, people will be using drivers we haven't yet
seen. Its less of a risk that this will be a floppy device, and it
would have less of an impact.
> BTW, I understand that HAL and maybe pmount will show the same issue.
ok - how so?
> I also wonder why no other distribution noticed this.
Its probably worth asking on the udev list - you want me to do this?
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Thu, Jan 04, 2007 at 05:39:31PM +0100, Marco d'Itri wrote: > On Jan 04, dann frazier <[EMAIL PROTECTED]> wrote: > > > Right - but what I'm suggesting is that we change the default group > > for removable block devices from "floppy" to "disk". > > e.g., something like this untested patch: > No way. > Look at the reactions to these bugs: #402622, #402649, #321642 Ok I've read through these reports and it looks like I misunderstood how we currently use the floppy group. It appears to be used for more devices than just floppies, though it seems counterintuitive to me. Can you point me to (or explain) how the floppy group is currently defined and how it is differentiated by plugdev? For now, I can only suggest adding workarounds for the devices identified by Mark in this report - aacraid, ips, and dpt_i2o. And perhaps we should update the passwd/make-user Template in user-setup to warn that this first account will have "special" priveleges? > I think they both trust the kernel about knowing if a device is > removable or not. yes, that makes sense - I was only thinking about the security aspect of this issue when I asked, since that is what earned this bug such a high severity. > > > I also wonder why no other distribution noticed this. > > Its probably worth asking on the udev list - you want me to do this? > OK. I'll send a note after this message. I just took a look at the distro config files in the udev upstream tarball, and it looks like we are the only ones that use the removable flag when picking a group, so its probably not a big deal for them, security wise. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Jan 05, dann frazier <[EMAIL PROTECTED]> wrote: > Can you point me to (or explain) how the floppy group is currently > defined and how it is differentiated by plugdev? It's supposed to be used for removable media: floppy disks, memory cards or USB and firewire hard disks. (Except optical media, which are owned by group cdrom.) > For now, I can only suggest adding workarounds for the devices > identified by Mark in this report - aacraid, ips, and dpt_i2o. I will need to see sample udevinfo output for each driver, unless somebody already knows a rule to match them. > yes, that makes sense - I was only thinking about the security aspect > of this issue when I asked, since that is what earned this bug such a > high severity. Thinking again about this it should not matter for pmount. I am not sure about HAL, but probably not either. -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Fri, Jan 05, 2007 at 03:23:40AM +0100, Marco d'Itri wrote: > On Jan 05, dann frazier <[EMAIL PROTECTED]> wrote: > > > Can you point me to (or explain) how the floppy group is currently > > defined and how it is differentiated by plugdev? > It's supposed to be used for removable media: floppy disks, memory cards > or USB and firewire hard disks. > (Except optical media, which are owned by group cdrom.) Ok - and what is plugdev for? > > For now, I can only suggest adding workarounds for the devices > > identified by Mark in this report - aacraid, ips, and dpt_i2o. > I will need to see sample udevinfo output for each driver, unless > somebody already knows a rule to match them. udevinfo for aacraid is in this report, I'll follow up with Mark to see if he can provide it for ips/dpt_i2o. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
On Jan 05, dann frazier <[EMAIL PROTECTED]> wrote: > > > Can you point me to (or explain) how the floppy group is currently > > > defined and how it is differentiated by plugdev? > > It's supposed to be used for removable media: floppy disks, memory cards > > or USB and firewire hard disks. > > (Except optical media, which are owned by group cdrom.) > Ok - and what is plugdev for? It controls /who/ can mount these devices. -- ciao, Marco signature.asc Description: Digital signature
Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
severity 404927 normal reassign 404927 linux-2.6 thanks Ok, my mistake; Marco says that there is a kernel bug here still, because the driver is still wrong to use this interface, and the udev changes are only a workaround. So this bug is still open, it's just no longer release-critical in nature. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy
Processing commands for [EMAIL PROTECTED]: > reassign 404927 linux-2.6 Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy Bug reassigned from package `udev' to `linux-2.6'. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
