From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S267543AbUJDNmY (ORCPT ); Mon, 4 Oct 2004 09:42:24 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S267519AbUJDNmY (ORCPT ); Mon, 4 Oct 2004 09:42:24 -0400 Received: from open.hands.com ([195.224.53.39]:26537 "EHLO open.hands.com") by vger.kernel.org with ESMTP id S267449AbUJDNmS (ORCPT ); Mon, 4 Oct 2004 09:42:18 -0400 Date: Mon, 4 Oct 2004 14:53:26 +0100 From: Luke Kenneth Casson Leighton To: 274860@bugs.debian.org Cc: linux-kernel@vger.kernel.org, 274867@bugs.debian.org Subject: Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root) Message-ID: <20041004135326.GA20930@lkcl.net> References: <20041004131014.GF19341@lkcl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041004131014.GF19341@lkcl.net> User-Agent: Mutt/1.5.5.1+cvs20040105i X-hands-com-MailScanner: Found to be clean X-hands-com-MailScanner-SpamScore: s X-MailScanner-From: lkcl@lkcl.net Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org found it. it's a new piece of kernel code verify_command in drivers/block/scsi_ioctl.c, which checks for the capability CAP_SYS_RAWIO. ah, dammit. for k3b to work, you'd have to install it setuid root, call getcap(), remove all but the necessary capabilities (i.e. don't remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do a setcap(). fuse (file system in userspace) uses this technique for allowing mount and unmount but nothing else [which doesn't work on 2.6.8 btw: the getcap() fails, but i did notice that debian doesn't install fusermount as setuid to root which is half the problem...] l. On Mon, Oct 04, 2004 at 02:10:14PM +0100, Luke Kenneth Casson Leighton wrote: > additional info: > > kernel 2.6.8. ioctl ("/dev/hdc", CDROM_SEND_PACKET, cmd) > > commands that are failing as non-root, even when permission is granted > rwxrwxrwx to /dev/hdc, are, according to some debug info added to k3b: > > GET CONFIGURATION (46) > error code: 0 > sense key: NO SENSE (2) > asc: 0 > ascq: 0 > > and: > > MODE SELECT (55) > error code: 0 > sense key: NO SENSE (2) > asc: 0 > ascq: 0 > > the result is that k3b cannot determine that the drive exists, therefore > it cannot use it even though cdrecord might actually work. > > > as root, the following errors occur: > > MODE SELECT (46) > errorcode: 70 > sense key: ILLEGAL REQUEST (5) > asc: 26 > ascq: 0 > > READ DVD STRUCTURE (ad) > errorcode: 70 > sense key: NOT READY (2) > asc: 3a > ascq: 0 > > presumably it can be concluded that the GET CONFIGURATION ioctl command > is the one at fault. > > ... what gives? > > l. > > -- > -- > Truth, honesty and respect are rare commodities that all spring from > the same well: Love. If you love yourself and everyone and everything > around you, funnily and coincidentally enough, life gets a lot better. > -- > lkcl.net
> lkcl@lkcl.net
> > -- > -- > Truth, honesty and respect are rare commodities that all spring from > the same well: Love. If you love yourself and everyone and everything > around you, funnily and coincidentally enough, life gets a lot better. > -- > lkcl.net
> lkcl@lkcl.net
> -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- lkcl.net
lkcl@lkcl.net
From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S267934AbUJDOEk (ORCPT ); Mon, 4 Oct 2004 10:04:40 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S267935AbUJDOEk (ORCPT ); Mon, 4 Oct 2004 10:04:40 -0400 Received: from ns.virtualhost.dk ([195.184.98.160]:62642 "EHLO virtualhost.dk") by vger.kernel.org with ESMTP id S267934AbUJDOEh (ORCPT ); Mon, 4 Oct 2004 10:04:37 -0400 Date: Mon, 4 Oct 2004 16:01:46 +0200 From: Jens Axboe To: Luke Kenneth Casson Leighton Cc: linux-kernel@vger.kernel.org Subject: Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root) Message-ID: <20041004140145.GY2287@suse.de> References: <20041004131014.GF19341@lkcl.net> <20041004135326.GA20930@lkcl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041004135326.GA20930@lkcl.net> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote: > found it. > > it's a new piece of kernel code verify_command in > drivers/block/scsi_ioctl.c, which checks for the capability > CAP_SYS_RAWIO. > > ah, dammit. > > for k3b to work, you'd have to install it setuid root, call > getcap(), remove all but the necessary capabilities (i.e. don't > remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do > a setcap(). it works in 2.6.9-rcX. -- Jens Axboe From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S268139AbUJDOQL (ORCPT ); Mon, 4 Oct 2004 10:16:11 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268157AbUJDOQL (ORCPT ); Mon, 4 Oct 2004 10:16:11 -0400 Received: from open.hands.com ([195.224.53.39]:60074 "EHLO open.hands.com") by vger.kernel.org with ESMTP id S268139AbUJDON4 (ORCPT ); Mon, 4 Oct 2004 10:13:56 -0400 Date: Mon, 4 Oct 2004 15:25:00 +0100 From: Luke Kenneth Casson Leighton To: Jens Axboe Cc: linux-kernel@vger.kernel.org Subject: Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root) Message-ID: <20041004142500.GE20930@lkcl.net> References: <20041004131014.GF19341@lkcl.net> <20041004135326.GA20930@lkcl.net> <20041004140145.GY2287@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041004140145.GY2287@suse.de> User-Agent: Mutt/1.5.5.1+cvs20040105i X-hands-com-MailScanner: Found to be clean X-hands-com-MailScanner-SpamScore: s X-MailScanner-From: lkcl@lkcl.net Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 04, 2004 at 04:01:46PM +0200, Jens Axboe wrote: > On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote: > > found it. > > > > it's a new piece of kernel code verify_command in > > drivers/block/scsi_ioctl.c, which checks for the capability > > CAP_SYS_RAWIO. > > > > ah, dammit. > > > > for k3b to work, you'd have to install it setuid root, call > > getcap(), remove all but the necessary capabilities (i.e. don't > > remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do > > a setcap(). > > it works in 2.6.9-rcX. okay so someone has added the GET_CAPABILITY to verify_command in scsi_block.c there, yes? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S267951AbUJDOXX (ORCPT ); Mon, 4 Oct 2004 10:23:23 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268157AbUJDOXX (ORCPT ); Mon, 4 Oct 2004 10:23:23 -0400 Received: from relay.pair.com ([209.68.1.20]:62213 "HELO relay.pair.com") by vger.kernel.org with SMTP id S267951AbUJDOQl (ORCPT ); Mon, 4 Oct 2004 10:16:41 -0400 X-pair-Authenticated: 66.190.53.4 Message-ID: <41615B48.904@cybsft.com> Date: Mon, 04 Oct 2004 09:16:40 -0500 From: "K.R. Foley" User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jens Axboe CC: Luke Kenneth Casson Leighton , linux-kernel@vger.kernel.org Subject: Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root) References: <20041004131014.GF19341@lkcl.net> <20041004135326.GA20930@lkcl.net> <20041004140145.GY2287@suse.de> In-Reply-To: <20041004140145.GY2287@suse.de> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Jens Axboe wrote: > On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote: > >>found it. >> >>it's a new piece of kernel code verify_command in >>drivers/block/scsi_ioctl.c, which checks for the capability >>CAP_SYS_RAWIO. >> >>ah, dammit. >> >>for k3b to work, you'd have to install it setuid root, call >>getcap(), remove all but the necessary capabilities (i.e. don't >>remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do >>a setcap(). > > > it works in 2.6.9-rcX. > I don't know for sure if this is related or not, but it sure sounds like it. I have noticed the following in at least the last few versions (I believe 2.6.9-rc2 also): Even though CONFIG_SECURITY_CAPABILITIES can be configured as a module, if I don't compile it into the kernel getcap and setcap fail. kr From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S268142AbUJDOZd (ORCPT ); Mon, 4 Oct 2004 10:25:33 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268162AbUJDOXc (ORCPT ); Mon, 4 Oct 2004 10:23:32 -0400 Received: from ns.virtualhost.dk ([195.184.98.160]:22714 "EHLO virtualhost.dk") by vger.kernel.org with ESMTP id S268142AbUJDOV5 (ORCPT ); Mon, 4 Oct 2004 10:21:57 -0400 Date: Mon, 4 Oct 2004 16:19:07 +0200 From: Jens Axboe To: Luke Kenneth Casson Leighton Cc: linux-kernel@vger.kernel.org Subject: Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root) Message-ID: <20041004141907.GZ2287@suse.de> References: <20041004131014.GF19341@lkcl.net> <20041004135326.GA20930@lkcl.net> <20041004140145.GY2287@suse.de> <20041004142500.GE20930@lkcl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041004142500.GE20930@lkcl.net> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote: > On Mon, Oct 04, 2004 at 04:01:46PM +0200, Jens Axboe wrote: > > On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote: > > > found it. > > > > > > it's a new piece of kernel code verify_command in > > > drivers/block/scsi_ioctl.c, which checks for the capability > > > CAP_SYS_RAWIO. > > > > > > ah, dammit. > > > > > > for k3b to work, you'd have to install it setuid root, call > > > getcap(), remove all but the necessary capabilities (i.e. don't > > > remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do > > > a setcap(). > > > > it works in 2.6.9-rcX. > > okay so someone has added the GET_CAPABILITY to verify_command in > scsi_block.c there, yes? GET_CONFIGURATION, yes. There have been a number of additions since 2.6.8. -- Jens Axboe