Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

[Luke Kenneth Casson Leighton]

found it.

it's a new piece of kernel code verify_command in
drivers/block/scsi_ioctl.c, which checks for the capability
CAP_SYS_RAWIO.

ah, dammit.

for k3b to work, you'd have to install it setuid root, call
getcap(), remove all but the necessary capabilities (i.e. don't
remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do
a setcap().

fuse (file system in userspace) uses this technique for allowing
mount and unmount but nothing else

[which doesn't work on 2.6.8 btw: the getcap() fails, but i did notice
that debian doesn't install fusermount as setuid to root which is half
the problem...]

l.

On Mon, Oct 04, 2004 at 02:10:14PM +0100, Luke Kenneth Casson Leighton wrote:
> additional info:
> 
> kernel 2.6.8.  ioctl ("/dev/hdc", CDROM_SEND_PACKET, cmd)
> 
> commands that are failing as non-root, even when permission is granted
> rwxrwxrwx to /dev/hdc, are, according to some debug info added to k3b:
> 
> 	GET CONFIGURATION (46)
> 	error code: 0
> 	sense key: NO SENSE (2)
> 	asc: 0
> 	ascq: 0
> 
> and:
> 
> 	MODE SELECT (55)
> 	error code: 0
> 	sense key: NO SENSE (2)
> 	asc: 0
> 	ascq: 0
> 
> the result is that k3b cannot determine that the drive exists, therefore
> it cannot use it even though cdrecord might actually work.
> 
> 
> as root, the following errors occur:
> 
> 	MODE SELECT (46)
> 	errorcode: 70
> 	sense key: ILLEGAL REQUEST (5)
> 	asc: 26
> 	ascq: 0
> 
> 	READ DVD STRUCTURE (ad)
> 	errorcode: 70
> 	sense key: NOT READY (2)
> 	asc: 3a
> 	ascq: 0
> 
> presumably it can be concluded that the GET CONFIGURATION ioctl command
> is the one at fault.
> 
> ... what gives?
> 
> l.
> 
> -- 
> --
> Truth, honesty and respect are rare commodities that all spring from
> the same well: Love.  If you love yourself and everyone and everything
> around you, funnily and coincidentally enough, life gets a lot better.
> --
> <a href="http://lkcl.net">      lkcl.net      </a> <br />
> <a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
> 
> -- 
> --
> Truth, honesty and respect are rare commodities that all spring from
> the same well: Love.  If you love yourself and everyone and everything
> around you, funnily and coincidentally enough, life gets a lot better.
> --
> <a href="http://lkcl.net">      lkcl.net      </a> <br />
> <a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
> 

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />

Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

[Jens Axboe]

On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote:
> found it.
> 
> it's a new piece of kernel code verify_command in
> drivers/block/scsi_ioctl.c, which checks for the capability
> CAP_SYS_RAWIO.
> 
> ah, dammit.
> 
> for k3b to work, you'd have to install it setuid root, call
> getcap(), remove all but the necessary capabilities (i.e. don't
> remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do
> a setcap().

it works in 2.6.9-rcX.

-- 
Jens Axboe

Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

[K.R. Foley]

Jens Axboe wrote:
> On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote:
> 
>>found it.
>>
>>it's a new piece of kernel code verify_command in
>>drivers/block/scsi_ioctl.c, which checks for the capability
>>CAP_SYS_RAWIO.
>>
>>ah, dammit.
>>
>>for k3b to work, you'd have to install it setuid root, call
>>getcap(), remove all but the necessary capabilities (i.e. don't
>>remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do
>>a setcap().
> 
> 
> it works in 2.6.9-rcX.
> 

I don't know for sure if this is related or not, but it sure sounds like 
it. I have noticed the following in at least the last few versions (I 
believe 2.6.9-rc2 also): Even though CONFIG_SECURITY_CAPABILITIES can be 
configured as a module, if I don't compile it into the kernel getcap and 
setcap fail.

kr

Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

[Luke Kenneth Casson Leighton]

On Mon, Oct 04, 2004 at 04:01:46PM +0200, Jens Axboe wrote:
> On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote:
> > found it.
> > 
> > it's a new piece of kernel code verify_command in
> > drivers/block/scsi_ioctl.c, which checks for the capability
> > CAP_SYS_RAWIO.
> > 
> > ah, dammit.
> > 
> > for k3b to work, you'd have to install it setuid root, call
> > getcap(), remove all but the necessary capabilities (i.e. don't
> > remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do
> > a setcap().
> 
> it works in 2.6.9-rcX.
 
 okay so someone has added the GET_CAPABILITY to verify_command in
 scsi_block.c there, yes?

Re: Bug#274860: Acknowledgement (kernel-image-2.6.8-1-686: CDROM_SEND_PACKET ioctls only work as root)

[Jens Axboe]

On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote:
> On Mon, Oct 04, 2004 at 04:01:46PM +0200, Jens Axboe wrote:
> > On Mon, Oct 04 2004, Luke Kenneth Casson Leighton wrote:
> > > found it.
> > > 
> > > it's a new piece of kernel code verify_command in
> > > drivers/block/scsi_ioctl.c, which checks for the capability
> > > CAP_SYS_RAWIO.
> > > 
> > > ah, dammit.
> > > 
> > > for k3b to work, you'd have to install it setuid root, call
> > > getcap(), remove all but the necessary capabilities (i.e. don't
> > > remove CAP_SYS_RAWIO), do a setfsuid() and setfsgid() and do
> > > a setcap().
> > 
> > it works in 2.6.9-rcX.
>  
>  okay so someone has added the GET_CAPABILITY to verify_command in
>  scsi_block.c there, yes?

GET_CONFIGURATION, yes. There have been a number of additions since
2.6.8.

-- 
Jens Axboe