From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Karl O. Pinc" <kop@meme.com>
Date: Mon, 14 Mar 2011 23:20:43 +0000
Subject: Re: [PATCH] add ACLs to /dev/sgX nodes for CD-ROM
Message-Id: <1300144843.15120.3@mofo>
List-Id: <linux-hotplug.vger.kernel.org>
References: <1299402082-4796-1-git-send-email-arvidjaar@mail.ru>
In-Reply-To: <1299402082-4796-1-git-send-email-arvidjaar@mail.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: linux-hotplug@vger.kernel.org

On 03/14/2011 11:41:09 AM, Kay Sievers wrote:
> On Mon, Mar 14, 2011 at 17:33, Harald Hoyer <harald@redhat.com> 
> > Oh! You don't want to do this... Won't this allow ordinary users to
> flash a new
> > firmware, opening some security issues here?

> Do we really don't want that? Locally logged-in users could put glue
> in the tray too. :)

Has this been thought through?

Glue in the tray is a simple denial of service attack,
and one that affects but a single system component.
Flashing firmware, in theory at least, opens the door to 
installing malware right into the firmware and enables
all sorts of ugly possibilities starting with malware that
runs before the boot process even gets going,
can't be detected by scanning the drive, and can't be removed by
wiping the hard drive and power cycling.   It sounds scary if
an ordinary user, especially one not sitting next to
the box, can install such malware without any other
sort of privilege escalation.


Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein