From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMlWoj3H_j6i for ; Wed, 10 Jul 2013 04:19:45 +0200 (CEST) Received: from smtp.meme.com (janus.meme.com [69.17.73.118]) by mail.saout.de (Postfix) with ESMTP for ; Wed, 10 Jul 2013 04:19:45 +0200 (CEST) Date: Tue, 09 Jul 2013 21:10:02 -0500 From: "Karl O. Pinc" References: In-Reply-To: (from bpjain@cs.stonybrook.edu on Tue Nov 27 11:25:59 2012) Message-Id: <1373422202.9438.18@slate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] An observation List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Bhushan Jain Cc: "dm-crypt@saout.de" On 11/27/2012 11:25:59 AM, Bhushan Jain wrote: > Hello Developers, >=20 > I am a student at Stony Brook University researching system security. > I noticed that the only reason dmcrypt-get-device (from eject=20 > package) > needs setuid privilege is to read the major:minor numbers (unless I > have missed something). > A lot of distributions (Ubuntu, Fedora, etc.) are trying to avoid use > of the setuid bit because it can potentially introduce a privilege > escalation attack vector. > I think the same thing could be accomplished by exporting the > major:minor device numbers through a proc file, and then eliminate=20 > the > need for dmcrypt-get-device. > I would be happy to send you a patch that does this, if there is > interest. Any comments/thoughts? Speaking from ignorance, isn't there something in /sys with this information? If so a patch to read from that might be better. I'm ignorant, but I've this feeling that /proc is frowned upon. Regards, Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein =