From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PutGMkLd-2LU for <dm-crypt@saout.de>;
 Tue, 27 Nov 2012 18:49:44 +0100 (CET)
Received: from mail-ee0-f50.google.com (mail-ee0-f50.google.com [74.125.83.50])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 27 Nov 2012 18:49:44 +0100 (CET)
Received: by mail-ee0-f50.google.com with SMTP id b45so7179686eek.37
 for <dm-crypt@saout.de>; Tue, 27 Nov 2012 09:49:43 -0800 (PST)
Message-ID: <50B4FD34.7030209@gmail.com>
Date: Tue, 27 Nov 2012 18:49:40 +0100
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <D68F6C91D760CA4E9DFBA5AC6FFD249E28970E64@mail1.cs.stonybrook.edu>
In-Reply-To: <D68F6C91D760CA4E9DFBA5AC6FFD249E28970E64@mail1.cs.stonybrook.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] An observation
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Bhushan Jain <bpjain@cs.stonybrook.edu>
Cc: "dm-crypt@saout.de" <dm-crypt@saout.de>

On 11/27/2012 06:25 PM, Bhushan Jain wrote:
> Hello Developers,
> 
> I am a student at Stony Brook University researching system security.
> I noticed that the only reason dmcrypt-get-device (from eject package) needs setuid privilege is to read the major:minor numbers (unless I have missed something).
> A lot of distributions (Ubuntu, Fedora, etc.) are trying to avoid use of the setuid bit because it can potentially introduce a privilege escalation attack vector.
> I think the same thing could be accomplished by exporting the major:minor device numbers through a proc file, and then eliminate the need for dmcrypt-get-device.
> I would be happy to send you a patch that does this, if there is interest.  Any comments/thoughts?

Hi,

AFAIK eject package was deprecated and is moved into util-linux upstream
(and almost completely rewritten).

No idea what is dmcrypt-get-device, seems like distro specific hack.
(And moreover, libblkid used in lsblk or blkid is better way to check
UUID/major:minor etc. These run in user context.)

BTW major:minor is in /sys for all block devices (lsblk uses this).

So report it to distro you see this, definitely this should
not need setuid bit!

Milan