Bug#404927: udev believes hardware raid devices are removable and sets the permissions to group floppy

Fri, 29 Dec 2006 02:13:58 -0800 

Package: udev
Version: 0.103-1
Severity: critical
Tags: security
Justification: root security hole


Hi there,

  Just noticed that udev sets the group of the hard disks to 'floppy'
  making them r/w to this group (actually, tiger noticed it):

brw-rw----  1 root floppy 8,  0 Dec 29 11:25 /dev/sda
brw-rw----  1 root floppy 8,  1 Dec 29 11:25 /dev/sda1
brw-rw----  1 root floppy 8,  2 Dec 29 11:25 /dev/sda2
brw-rw----  1 root floppy 8,  5 Dec 29 11:25 /dev/sda5
brw-rw----  1 root floppy 8,  6 Dec 29 11:25 /dev/sda6
brw-rw----  1 root floppy 8, 16 Dec 29 11:25 /dev/sdb
brw-rw----  1 root floppy 8, 17 Dec 29 11:25 /dev/sdb1
brw-rw----  1 root floppy 8, 32 Dec 29 11:25 /dev/sdc
brw-rw----  1 root floppy 8, 33 Dec 29 11:25 /dev/sdc1
brw-rw----  1 root floppy 8, 48 Dec 29 11:25 /dev/sdd
brw-rw----  1 root floppy 8, 49 Dec 29 11:25 /dev/sdd1
brw-rw----  1 root floppy 8, 50 Dec 29 11:25 /dev/sdd2

  The machine has a hardware raid controller:

0000:02:01.0 RAID bus controller: Adaptec AAC-RAID (rev 01)

  udevinfo gives this:

  looking at device '/block/sda':
    KERNEL=="sda"
    SUBSYSTEM=="block"
    DRIVER==""
    ATTR{stat}=="    3560      800   197252    27816     2406     4639    56368 
  392728        0    31056   420544"
    ATTR{size}=="20971776"
    ATTR{removable}=="1"
    ATTR{range}=="16"
    ATTR{dev}=="8:0"

  looking at parent device 
'/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0/target0:0:0/0:0:0:0':
    KERNELS=="0:0:0:0"
    SUBSYSTEMS=="scsi"
    DRIVERS=="sd"
    ATTRS{ioerr_cnt}=="0x0"
    ATTRS{iodone_cnt}=="0x1771"
    ATTRS{iorequest_cnt}=="0x1771"
    ATTRS{iocounterbits}=="32"
    ATTRS{timeout}=="30"
    ATTRS{state}=="running"
    ATTRS{rev}=="V1.0"
    ATTRS{model}=="linux           "
    ATTRS{vendor}=="Adaptec "
    ATTRS{scsi_level}=="3"
    ATTRS{type}=="0"
    ATTRS{queue_type}=="ordered"
    ATTRS{queue_depth}=="256"
    ATTRS{device_blocked}=="0"

  looking at parent device 
'/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0/target0:0:0':
    KERNELS=="target0:0:0"
    SUBSYSTEMS==""
    DRIVERS==""

  looking at parent device 
'/devices/pci0000:00/0000:00:1c.0/0000:02:01.0/host0':
    KERNELS=="host0"
    SUBSYSTEMS==""
    DRIVERS==""
  looking at parent device '/devices/pci0000:00/0000:00:1c.0/0000:02:01.0':
    KERNELS=="0000:02:01.0"
    SUBSYSTEMS=="pci"
    DRIVERS=="aacraid"
    ATTRS{broken_parity_status}=="0"
    ATTRS{enable}=="1"
    ATTRS{modalias}=="pci:v00009005d00000285sv00009005sd00000290bc01sc04i00"
    ATTRS{local_cpus}=="ff"
    ATTRS{irq}=="169"
    ATTRS{class}=="0x010400"
    ATTRS{subsystem_device}=="0x0290"
    ATTRS{subsystem_vendor}=="0x9005"
    ATTRS{device}=="0x0285"
    ATTRS{vendor}=="0x9005"

  looking at parent device '/devices/pci0000:00/0000:00:1c.0':
    KERNELS=="0000:00:1c.0"
    SUBSYSTEMS=="pci"
    DRIVERS==""
    ATTRS{broken_parity_status}=="0"
    ATTRS{enable}=="1"
    ATTRS{modalias}=="pci:v00008086d000025AEsv00000000sd00000000bc06sc04i00"
    ATTRS{local_cpus}=="ff"
    ATTRS{irq}=="0"
    ATTRS{class}=="0x060400"
    ATTRS{subsystem_device}=="0x0000"
    ATTRS{subsystem_vendor}=="0x0000"
    ATTRS{device}=="0x25ae"
    ATTRS{vendor}=="0x8086"

  looking at parent device '/devices/pci0000:00':
    KERNELS=="pci0000:00"
    SUBSYSTEMS==""
    DRIVERS==""

  Notice the 'aacraid' and 'adaptec' values that identify the hardware
  raid controller and the 'removable flag. I believe that this is not
  a misconfiguration of me and I don't have access to another machine
  with a hardware raid controller to test it there.

  I've classified this as a serious security hole, since the first user
  that is created when installing debian is in group 'floopy' and thus
  he may get superuser privileges in many ways and cause total data
  loss.

  Thanks in advance...

-- Package-specific info:
-- /etc/udev/rules.d/:
/etc/udev/rules.d/:
total 4
lrwxrwxrwx  1 root root  20 2006-02-03 14:43 020_permissions.rules -> 
../permissions.rules
lrwxrwxrwx  1 root root  13 2006-02-03 14:43 udev.rules -> ../udev.rules
lrwxrwxrwx  1 root root  25 2006-04-16 12:47 z20_persistent-input.rules -> 
../persistent-input.rules
lrwxrwxrwx  1 root root  19 2006-02-03 14:43 z20_persistent.rules -> 
../persistent.rules
-rw-r--r--  1 root root 605 2006-09-20 20:36 z25_persistent-net.rules
lrwxrwxrwx  1 root root  33 2006-05-28 15:54 z45_persistent-net-generator.rules 
-> ../persistent-net-generator.rules
lrwxrwxrwx  1 root root  12 2006-02-03 14:43 z50_run.rules -> ../run.rules
lrwxrwxrwx  1 root root  16 2006-02-03 14:43 z55_hotplug.rules -> 
../hotplug.rules
lrwxrwxrwx  1 root root  29 2006-09-20 20:36 z75_cd-aliases-generator.rules -> 
../cd-aliases-generator.rules

-- /sys/:
/sys/block/ram0/dev
/sys/block/ram10/dev
/sys/block/ram11/dev
/sys/block/ram12/dev
/sys/block/ram13/dev
/sys/block/ram14/dev
/sys/block/ram15/dev
/sys/block/ram1/dev
/sys/block/ram2/dev
/sys/block/ram3/dev
/sys/block/ram4/dev
/sys/block/ram5/dev
/sys/block/ram6/dev
/sys/block/ram7/dev
/sys/block/ram8/dev
/sys/block/ram9/dev
/sys/block/sda/dev
/sys/block/sda/sda1/dev
/sys/block/sda/sda2/dev
/sys/block/sda/sda5/dev
/sys/block/sda/sda6/dev
/sys/block/sdb/dev
/sys/block/sdb/sdb1/dev
/sys/block/sdc/dev
/sys/block/sdc/sdc1/dev
/sys/block/sdd/dev
/sys/block/sdd/sdd1/dev
/sys/block/sdd/sdd2/dev
/sys/class/graphics/fb0/dev
/sys/class/i2c-dev/i2c-0/dev
/sys/class/input/input0/event0/dev
/sys/class/input/input1/event1/dev
/sys/class/input/input2/event2/dev
/sys/class/input/input2/mouse0/dev
/sys/class/input/input2/ts0/dev
/sys/class/input/mice/dev
/sys/class/misc/hpet/dev
/sys/class/misc/psaux/dev
/sys/class/misc/snapshot/dev
/sys/class/misc/watchdog/dev
/sys/class/usb_device/usbdev1.1/dev
/sys/class/usb_device/usbdev2.1/dev
/sys/class/usb_device/usbdev3.1/dev
/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-0:1.0/usbdev2.1_ep81/dev
/sys/devices/pci0000:00/0000:00:1d.0/usb2/usbdev2.1_ep00/dev
/sys/devices/pci0000:00/0000:00:1d.1/usb3/3-0:1.0/usbdev3.1_ep81/dev
/sys/devices/pci0000:00/0000:00:1d.1/usb3/usbdev3.1_ep00/dev
/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-0:1.0/usbdev1.1_ep81/dev
/sys/devices/pci0000:00/0000:00:1d.7/usb1/usbdev1.1_ep00/dev

-- Kernel configuration:


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages udev depends on:
ii  debconf [debconf-2.0]        1.4.30.13   Debian configuration management sy
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libselinux1                  1.32-3      SELinux shared libraries
ii  libvolume-id0                0.103-1     libvolume_id shared library
ii  lsb-base                     3.1-22      Linux Standard Base 3.1 init scrip

-- debconf information:
  udev/new_kernel_needed: false
  udev/reboot_needed:


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to