From mboxrd@z Thu Jan  1 00:00:00 1970
From: Greg KH <greg@kroah.com>
Date: Tue, 25 Aug 2009 17:42:49 +0000
Subject: Re: [security] Race condition in udev
Message-Id: <20090825174249.GA13539@kroah.com>
List-Id: <linux-hotplug.vger.kernel.org>
References: <20090821102407.GA29609@florz.florz.dyndns.org>
In-Reply-To: <20090821102407.GA29609@florz.florz.dyndns.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: linux-hotplug@vger.kernel.org

On Tue, Aug 25, 2009 at 07:31:30PM +0200, Florian Zumbiehl wrote:
> Assumption:
> 
>  /dev/foo is configured to be owned by user root, group users, mode 0646.
>  The attacker tries to open /dev/foo for writing as a user that's not
>  root, not a member of the group root, but a member of the group users.
> 
> The Trace:
> 
>   action                     | owner | group | mode    | open(O_WRONLY)?
>  ----------------------------+-------+-------+---------+-----------------
>   mknod(/dev/foo)            | root  | root  | 0644(?) | no
>   chmod(/dev/foo,0646)       | root  | root  | 0646    | yes
>   chown(/dev/foo,root,users) | root  | users | 0646    | no

Are there any current device nodes that get set to this kind of "odd"
permissions with the current udev ruleset?

> Could we now take care of the bug?

Do you have a proposed patch?

thanks,

greg k-h