Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #135 > unrolled thread

sg (scsi) device permissions not effective

Started byMike Scott <usenet.14@scottsonline.org.uk.invalid>
First post2012-08-11 08:44 +0100
Last post2012-08-11 15:23 -0400
Articles 6 — 3 participants

Back to article view | Back to comp.os.linux.security


Contents

  sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-11 08:44 +0100
    Re: sg (scsi) device permissions not effective Robert Nichols <SEE_SIGNATURE@localhost.localdomain.invalid> - 2012-08-11 12:14 -0500
      Re: sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-11 20:46 +0100
        Re: sg (scsi) device permissions not effective "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2012-08-11 22:37 -0400
          Re: sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-13 10:13 +0100
    Re: sg (scsi) device permissions not effective "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2012-08-11 15:23 -0400

#135 — sg (scsi) device permissions not effective

FromMike Scott <usenet.14@scottsonline.org.uk.invalid>
Date2012-08-11 08:44 +0100
Subjectsg (scsi) device permissions not effective
Message-ID<k052g4$lkg$1@dont-email.me>
This is all on a mint maya 64-bit system. I'm not sure whether I've hit
a genuine security problem, or whether I've missed something obvious.

I've a pair of scanners on my system, connected to a scsi interface.
Owing to an error in the udev rules, I've had the ownership of the sg
interfaces set to root, group root, with permissions 0660:

mike@spock:~$ ls -l /dev/sg2
crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2

My understanding is that this ought to stop 'others' from accessing the
device. Yet I've been happily running sane:
mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null
mike@spock:~$


On investigation, it appears that it's possible for a non-root user to
do an open() on these sg devices: the code fragment

char *dev = "/dev/sg2";
int q = open(dev, O_RDWR);
printf(" open return = %d\n", q);

returns a good file descriptor.

Furthermore, it's clearly also possible to then execute ioctl() on that
descriptor, which is enough for sane to use the scanner - I've run
scanimage under strace to check on this.

(As a check, if I create a root-owned ordinary /file/ with the same 660
permissions and run the same test program, it fails as expected with a
permissions error.)


Has anyone else noticed anything similar please? Or can anyaone
reproduce the problem?

(For completeness:
mike@spock:~$ groups
staff adm dialout fax cdrom floppy tape sudo audio dip video plugdev
fuse scanner lpadmin netdev saned powerdev
Note the sg devices are /not/ group 'scanner' as they really should have
been)


(Apologies if this isn't a suitable forum for this)


-- 
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England

[toc] | [next] | [standalone]


#136

FromRobert Nichols <SEE_SIGNATURE@localhost.localdomain.invalid>
Date2012-08-11 12:14 -0500
Message-ID<k063st$bs4$1@omega-3a.local>
In reply to#135
On 08/11/2012 02:44 AM, Mike Scott wrote:
> I've a pair of scanners on my system, connected to a scsi interface.
> Owing to an error in the udev rules, I've had the ownership of the sg
> interfaces set to root, group root, with permissions 0660:
>
> mike@spock:~$ ls -l /dev/sg2
> crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
>
> My understanding is that this ought to stop 'others' from accessing the
> device. Yet I've been happily running sane:
> mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
> mike@spock:~$
>
>
> On investigation, it appears that it's possible for a non-root user to
> do an open() on these sg devices: the code fragment
>
> char *dev = "/dev/sg2";
> int q = open(dev, O_RDWR);
> printf(" open return = %d\n", q);
>
> returns a good file descriptor.

What access permissions does "getfacl /dev/sg2" report?

-- 
Bob Nichols         AT comcast.net I am "RNichols42"

[toc] | [prev] | [next] | [standalone]


#138

FromMike Scott <usenet.14@scottsonline.org.uk.invalid>
Date2012-08-11 20:46 +0100
Message-ID<k06cqh$aep$1@dont-email.me>
In reply to#136
On 11/08/12 18:14, Robert Nichols wrote:
> On 08/11/2012 02:44 AM, Mike Scott wrote:
>> I've a pair of scanners on my system, connected to a scsi interface.
>> Owing to an error in the udev rules, I've had the ownership of the sg
>> interfaces set to root, group root, with permissions 0660:
>>
>> mike@spock:~$ ls -l /dev/sg2
>> crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
>>
>> My understanding is that this ought to stop 'others' from accessing the
>> device. Yet I've been happily running sane:
>> mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
>> mike@spock:~$
>>
>>
>> On investigation, it appears that it's possible for a non-root user to
>> do an open() on these sg devices: the code fragment
>>
>> char *dev = "/dev/sg2";
>> int q = open(dev, O_RDWR);
>> printf(" open return = %d\n", q);
>>
>> returns a good file descriptor.
> 
> What access permissions does "getfacl /dev/sg2" report?
> 

Thanks for replying.

I get:

mike@spock:~$ getfacl /dev/sg2
getfacl: Removing leading '/' from absolute path names
# file: dev/sg2
# owner: root
# group: root
user::rw-
user:mike:rw-           <<<< ????
group::---
group:scanner:rw-
mask::rw-
other::---


Which on the face of it might start to explain things.

But I've just created a 'test' account with no privileges at all; that
works fine as well. I ran the following while my own 'mike' account was
still logged in after getting the above:

test@spock ~ $ getfacl /dev/sg2
getfacl: Removing leading '/' from absolute path names
# file: dev/sg2
# owner: root
# group: root
user::rw-
user:test:rw-            <<<< ????
group::---
group:scanner:rw-
mask::rw-
other::---

test@spock ~ $ scanimage -d epson2:/dev/sg2 >/dev/null
test@spock ~ $ ls -l /dev/sg2
crw-rw----+ 1 root root 21, 2 Aug 11 20:13 /dev/sg2

(The scanimage worked fine)


And to confirm:
mike@spock:~$ grep test /etc/group
test:x:1003:

I can explain the 'scanner' group acl entries: checking the libsane udev
rules, I have found an entry

ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw
$env{DEVNAME}"

tucked right at the end (which I'd missed).

But how can my user 'test' - not in the scanner group - use the scanner?
And where could the acl entries like

user:test:rw-

have come from?



-- 
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England

[toc] | [prev] | [next] | [standalone]


#139

From"David W. Hodgins" <dwhodgins@nomail.afraid.org>
Date2012-08-11 22:37 -0400
Message-ID<op.wiwpjycfa3w0dxdave@hodgins.homeip.net>
In reply to#138
On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote:

> But I've just created a 'test' account with no privileges at all; that
> works fine as well. I ran the following while my own 'mike' account was
> still logged in after getting the above:
>
> test@spock ~ $ getfacl /dev/sg2
> getfacl: Removing leading '/' from absolute path names
> # file: dev/sg2
> # owner: root
> # group: root
> user::rw-
> user:test:rw-            <<<< ????
> group::---
> group:scanner:rw-
> mask::rw-
> other::---
> But how can my user 'test' - not in the scanner group - use the scanner?
> And where could the acl entries like
> user:test:rw-
> have come from?

Most likely console-kit-daemon. See
http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[toc] | [prev] | [next] | [standalone]


#140

FromMike Scott <usenet.14@scottsonline.org.uk.invalid>
Date2012-08-13 10:13 +0100
Message-ID<k0agge$q2a$1@dont-email.me>
In reply to#139
On 12/08/12 03:37, David W. Hodgins wrote:
> On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott
> <usenet.14@scottsonline.org.uk.invalid> wrote:
> 
>> But I've just created a 'test' account with no privileges at all; that
>> works fine as well. I ran the following while my own 'mike' account was
>> still logged in after getting the above:
>>
>> test@spock ~ $ getfacl /dev/sg2
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/sg2
>> # owner: root
>> # group: root
>> user::rw-
>> user:test:rw-            <<<< ????
>> group::---
>> group:scanner:rw-
>> mask::rw-
>> other::---
>> But how can my user 'test' - not in the scanner group - use the scanner?
>> And where could the acl entries like
>> user:test:rw-
>> have come from?
> 
> Most likely console-kit-daemon. See
> http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html
> 
> Regards, Dave Hodgins
> 

Hmmm. That does seem to be installed (obviously a Mint default; I've not
touched this area at all. Looks as though the default setup provides a
minor security loophole. Not nice.) No documentation or config stuff
that I can find though.


(BTW I think you've replied again to my original post, although I think
the material's been covered in  this subthread already)


Thanks for the help advice.





-- 
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England

[toc] | [prev] | [next] | [standalone]


#137

From"David W. Hodgins" <dwhodgins@nomail.afraid.org>
Date2012-08-11 15:23 -0400
Message-ID<op.wiv5g2jpa3w0dxdave@hodgins.homeip.net>
In reply to#135
On Sat, 11 Aug 2012 03:44:04 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote:

> This is all on a mint maya 64-bit system. I'm not sure whether I've hit
> a genuine security problem, or whether I've missed something obvious.
>
> I've a pair of scanners on my system, connected to a scsi interface.
> Owing to an error in the udev rules, I've had the ownership of the sg
> interfaces set to root, group root, with permissions 0660:
>
> mike@spock:~$ ls -l /dev/sg2
> crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
>
> My understanding is that this ought to stop 'others' from accessing the
> device. Yet I've been happily running sane:
> mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null
> mike@spock:~$

What's the output of "getfacl /dev/sg2"?

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[toc] | [prev] | [standalone]


Back to top | Article view | comp.os.linux.security


csiph-web