From: Jens Axboe <axboe@suse.de>
To: Zinx Verituse <zinx@epicsol.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: ide-cd problems
Date: Thu, 5 Aug 2004 07:40:57 +0200 [thread overview]
Message-ID: <20040805054056.GC10376@suse.de> (raw)
In-Reply-To: <20040731210257.GA22560@bliss>
On Sat, Jul 31 2004, Zinx Verituse wrote:
> On Sat, Jul 31, 2004 at 10:00:36PM +0200, Jens Axboe wrote:
> > On Sat, Jul 31 2004, Zinx Verituse wrote:
> > > On Sat, Jul 31, 2004 at 05:36:10PM +0200, Jens Axboe wrote:
> > > > On Fri, Jul 30 2004, Zinx Verituse wrote:
> > > > > I'm going to bump this topic a bit, since it's been a while..
> > > > > There are still some issues with ide-cd's SG_IO, listed from
> > > > > most important as percieved by me to least:
> > > > >
> > > > > * Read-only access grants you the ability to write/blank media in the drive
> > > > > * (with above) You can open the device only in read-only mode.
> > > >
> > > > That's by design. Search linux-scsi or this list for why that is so.
> > >
> > > The only thing I can find on the linux-scsi list is refering to sg
> > > devices, which are on a different device node from the non-generic
> > > device. This means you can still allow users read access to the disk
> > > without allowing them to send random commands to the disk -- this isn't
> > > currently possible with the IDE interface, since the device with
> > > generic access is the same as the one with the original read/cdrom
> > > commands access.
> > >
> > > As it is, it's impossible grant users read-only access to an IDE cd-rom
> > > without allowing them to do things like replacing the firmware with a
> > > malicious/non-working one.
> > >
> > > Generic access allowing such things is fine; but only if we can grant
> > > non-generic access without granting generic access.
> >
> > If you want it to work that way, you have the have a pass-through filter
> > in the kernel knowing what commands are out there (including vendor
> > specific ones). That's just too ugly and not really doable or
> > maintainable, sorry.
> >
> > If you have access to issue ioctls to the device, you have access to
> > send it arbitrary commands - period.
>
> I don't believe command filtering is neccessary, since all of the
> ide-cd ioctls are still there (ioctls that allow playing, reading, etc)
> Only the SG_IO ioctl itself would have to be checked (i.e., not each
> individual command available with SG_IO, just the overall ioctl itself,
> categorizing all of SG_IO more or less as raw IO. If this isn't doable
> with the current design, then the ide-cd interface should at least be
> very conspicuously documented as being extremely insecure as far as
> "read" access is concerned, as I know I wouldn't expect users to be able
> to overwrite my drive's firmware simply by granting the read access.
Ok, that is definitely more acceptable. But then it should be done to
CDROM_SEND_PACKET as well, and we risk breaking programs doing so (ie
cdrecord run by user currently).
--
Jens Axboe
next prev parent reply other threads:[~2004-08-05 5:41 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-30 19:36 ide-cd problems Zinx Verituse
2004-07-31 15:36 ` Jens Axboe
2004-07-31 18:27 ` Zinx Verituse
2004-07-31 20:00 ` Jens Axboe
2004-07-31 21:02 ` Zinx Verituse
2004-08-01 4:07 ` Alexander E. Patrakov
2004-08-01 15:57 ` Jens Axboe
2004-08-02 3:20 ` Horst von Brand
2004-08-02 12:25 ` Jens Axboe
2004-08-02 20:44 ` Bill Davidsen
2004-08-02 13:45 ` tabris
2004-08-02 13:56 ` Jens Axboe
2004-08-02 14:26 ` Andreas Metzler
2004-08-02 14:33 ` Jens Axboe
2004-08-02 14:38 ` tabris
2004-08-02 14:50 ` Jens Axboe
2004-08-02 16:30 ` Bill Davidsen
2004-08-03 7:17 ` Jens Axboe
2004-08-02 17:16 ` Zinx Verituse
2004-08-05 5:40 ` Jens Axboe [this message]
2004-08-05 21:06 ` Alan Cox
2004-08-06 5:44 ` Jens Axboe
[not found] ` <20040806062331.GE10274@suse.de>
2004-08-06 12:14 ` Alan Cox
2004-08-06 14:32 ` Jens Axboe
2004-08-06 15:14 ` Charles Cazabon
2004-08-06 15:13 ` Jens Axboe
2004-08-07 14:01 ` Alan Cox
2004-08-06 17:26 ` dleonard
2004-08-06 22:47 ` Jens Axboe
2004-08-07 14:04 ` Alan Cox
2004-08-07 21:54 ` Alan Cox
2004-08-07 3:11 ` Jason L Tibbitts III
2004-08-09 8:39 ` Jens Axboe
2004-08-07 14:08 ` Alan Cox
2004-08-09 8:49 ` Jens Axboe
2004-08-02 23:54 ` Alan Cox
2004-08-03 5:53 ` Jens Axboe
2004-08-03 16:17 ` Zinx Verituse
2004-08-04 5:01 ` Jens Axboe
2004-08-05 15:52 ` Alan Cox
2004-08-05 17:46 ` Jens Axboe
2004-08-05 20:58 ` Alan Cox
2004-08-05 18:53 ` Bill Davidsen
2004-08-05 18:46 ` Bill Davidsen
2004-08-05 19:35 ` Jens Axboe
2004-08-05 21:02 ` Alan Cox
2004-08-06 5:42 ` Jens Axboe
2004-08-03 15:28 ` Doug Maxey
2004-08-03 17:28 ` Alan Cox
2004-08-09 20:24 ` Bill Davidsen
2004-08-02 16:41 ` Bill Davidsen
2004-08-03 15:50 ` Horst von Brand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040805054056.GC10376@suse.de \
--to=axboe@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=zinx@epicsol.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).