From: Albert Cahalan <albert@users.sf.net>
To: Marc Ballarin <Ballarin.Marc@gmx.de>
Cc: linux-kernel mailing list <linux-kernel@vger.kernel.org>, greg@kroah.com
Subject: Re: dynamic /dev security hole?
Date: 08 Aug 2004 11:04:31 -0400 [thread overview]
Message-ID: <1091977471.5761.144.camel@cube> (raw)
In-Reply-To: <20040808175834.59758fc0.Ballarin.Marc@gmx.de>
On Sun, 2004-08-08 at 11:58, Marc Ballarin wrote:
> On 08 Aug 2004 08:47:40 -0400
> Albert Cahalan <albert@users.sf.net> wrote:
>
> > Suppose I have access to a device, for whatever legit
> > reason. Maybe I'm given access to a USB key with
> > some particular serial number.
> >
> > I hard link this to somewhere else. Never mind that an
> > admin could in theory use 42 separate partitions and
> > mount most of the system with the "nodev" option. This
> > is rarely done.
> >
> > Now the device is removed. The /dev entry goes away.
> > A new device is added, and it gets the same device
> > number as the device I had legit access to. Hmmm?
>
> This would require (1) /dev to be inside the root filesystem and (2) users
> having write access somewhere in that filesystem.
>
> (1) is uncommon, often a separate filesystem is used for udev
> (2) is very bad practice anyway and should never be seen on a true
> multi-user machine
Sure, blame the admins. This is like leaving landmines
in your front yard, then blaming people who step on them.
> Besides, this is nothing new. Dynamic permission updates through PAM have
> the same issue, and anyone calling themselves "admin" should be well aware
> of those issues. This is basic Unix-security, after all.
This isn't, or at least shouldn't, be basic UNIX security.
PAM should call revoke(), except that Linux still doesn't
have this system call. It's been in BSD since 4.3BSD-Reno.
Calling revoke() would fully solve the PAM problems. Any
open file descriptors would be useless. Any hard links to
the device file would get the new permission bits via the
shared inode.
IMHO, hard links need to be severely restricted by default.
It's a waste to make this even a boot option, since almost
nobody would have a legitimate need for the current behavior.
Perhaps there are other ways to deal with the problem though.
> Yet, this issue should probably mentioned in documentation. It certainly
> should be mentioned in the udev-HOWTO.
You don't have to document problems if you fix them.
next prev parent reply other threads:[~2004-08-08 17:36 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-08 12:47 dynamic /dev security hole? Albert Cahalan
2004-08-08 15:58 ` Marc Ballarin
2004-08-08 15:04 ` Albert Cahalan [this message]
2004-08-08 20:42 ` Greg KH
2004-08-08 16:21 ` Greg KH
2004-08-08 21:43 ` Marc Ballarin
2004-08-08 22:07 ` Marc Ballarin
2004-08-09 4:40 ` Eric Lammerts
2004-08-09 13:30 ` Michael Buesch
2004-08-09 13:19 ` Albert Cahalan
2004-08-09 16:54 ` Michael Buesch
2004-08-09 17:04 ` Eric Lammerts
2004-08-09 17:14 ` Michael Buesch
2004-08-10 0:21 ` Greg KH
2004-08-11 17:12 ` [RFC, PATCH] sys_revoke(), just a try. (was: Re: dynamic /dev security hole?) Michael Buesch
2004-08-12 16:49 ` Michael Buesch
2004-08-12 19:51 ` Alan Cox
2004-08-12 19:39 ` Albert Cahalan
2004-08-13 12:39 ` Michael Buesch
2004-08-09 14:49 ` dynamic /dev security hole? Alan Cox
2004-08-09 16:17 ` Eric Lammerts
2004-08-09 15:33 ` Alan Cox
2004-08-09 16:47 ` Eric Lammerts
2004-08-09 17:54 ` Alan Cox
2004-08-10 0:21 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1091977471.5761.144.camel@cube \
--to=albert@users.sf.net \
--cc=Ballarin.Marc@gmx.de \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox