Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #135 > unrolled thread
| Started by | Mike Scott <usenet.14@scottsonline.org.uk.invalid> |
|---|---|
| First post | 2012-08-11 08:44 +0100 |
| Last post | 2012-08-11 15:23 -0400 |
| Articles | 6 — 3 participants |
Back to article view | Back to comp.os.linux.security
sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-11 08:44 +0100
Re: sg (scsi) device permissions not effective Robert Nichols <SEE_SIGNATURE@localhost.localdomain.invalid> - 2012-08-11 12:14 -0500
Re: sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-11 20:46 +0100
Re: sg (scsi) device permissions not effective "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2012-08-11 22:37 -0400
Re: sg (scsi) device permissions not effective Mike Scott <usenet.14@scottsonline.org.uk.invalid> - 2012-08-13 10:13 +0100
Re: sg (scsi) device permissions not effective "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2012-08-11 15:23 -0400
| From | Mike Scott <usenet.14@scottsonline.org.uk.invalid> |
|---|---|
| Date | 2012-08-11 08:44 +0100 |
| Subject | sg (scsi) device permissions not effective |
| Message-ID | <k052g4$lkg$1@dont-email.me> |
This is all on a mint maya 64-bit system. I'm not sure whether I've hit
a genuine security problem, or whether I've missed something obvious.
I've a pair of scanners on my system, connected to a scsi interface.
Owing to an error in the udev rules, I've had the ownership of the sg
interfaces set to root, group root, with permissions 0660:
mike@spock:~$ ls -l /dev/sg2
crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
My understanding is that this ought to stop 'others' from accessing the
device. Yet I've been happily running sane:
mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null
mike@spock:~$
On investigation, it appears that it's possible for a non-root user to
do an open() on these sg devices: the code fragment
char *dev = "/dev/sg2";
int q = open(dev, O_RDWR);
printf(" open return = %d\n", q);
returns a good file descriptor.
Furthermore, it's clearly also possible to then execute ioctl() on that
descriptor, which is enough for sane to use the scanner - I've run
scanimage under strace to check on this.
(As a check, if I create a root-owned ordinary /file/ with the same 660
permissions and run the same test program, it fails as expected with a
permissions error.)
Has anyone else noticed anything similar please? Or can anyaone
reproduce the problem?
(For completeness:
mike@spock:~$ groups
staff adm dialout fax cdrom floppy tape sudo audio dip video plugdev
fuse scanner lpadmin netdev saned powerdev
Note the sg devices are /not/ group 'scanner' as they really should have
been)
(Apologies if this isn't a suitable forum for this)
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
[toc] | [next] | [standalone]
| From | Robert Nichols <SEE_SIGNATURE@localhost.localdomain.invalid> |
|---|---|
| Date | 2012-08-11 12:14 -0500 |
| Message-ID | <k063st$bs4$1@omega-3a.local> |
| In reply to | #135 |
On 08/11/2012 02:44 AM, Mike Scott wrote:
> I've a pair of scanners on my system, connected to a scsi interface.
> Owing to an error in the udev rules, I've had the ownership of the sg
> interfaces set to root, group root, with permissions 0660:
>
> mike@spock:~$ ls -l /dev/sg2
> crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
>
> My understanding is that this ought to stop 'others' from accessing the
> device. Yet I've been happily running sane:
> mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
> mike@spock:~$
>
>
> On investigation, it appears that it's possible for a non-root user to
> do an open() on these sg devices: the code fragment
>
> char *dev = "/dev/sg2";
> int q = open(dev, O_RDWR);
> printf(" open return = %d\n", q);
>
> returns a good file descriptor.
What access permissions does "getfacl /dev/sg2" report?
--
Bob Nichols AT comcast.net I am "RNichols42"
[toc] | [prev] | [next] | [standalone]
| From | Mike Scott <usenet.14@scottsonline.org.uk.invalid> |
|---|---|
| Date | 2012-08-11 20:46 +0100 |
| Message-ID | <k06cqh$aep$1@dont-email.me> |
| In reply to | #136 |
On 11/08/12 18:14, Robert Nichols wrote:
> On 08/11/2012 02:44 AM, Mike Scott wrote:
>> I've a pair of scanners on my system, connected to a scsi interface.
>> Owing to an error in the udev rules, I've had the ownership of the sg
>> interfaces set to root, group root, with permissions 0660:
>>
>> mike@spock:~$ ls -l /dev/sg2
>> crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2
>>
>> My understanding is that this ought to stop 'others' from accessing the
>> device. Yet I've been happily running sane:
>> mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
>> mike@spock:~$
>>
>>
>> On investigation, it appears that it's possible for a non-root user to
>> do an open() on these sg devices: the code fragment
>>
>> char *dev = "/dev/sg2";
>> int q = open(dev, O_RDWR);
>> printf(" open return = %d\n", q);
>>
>> returns a good file descriptor.
>
> What access permissions does "getfacl /dev/sg2" report?
>
Thanks for replying.
I get:
mike@spock:~$ getfacl /dev/sg2
getfacl: Removing leading '/' from absolute path names
# file: dev/sg2
# owner: root
# group: root
user::rw-
user:mike:rw- <<<< ????
group::---
group:scanner:rw-
mask::rw-
other::---
Which on the face of it might start to explain things.
But I've just created a 'test' account with no privileges at all; that
works fine as well. I ran the following while my own 'mike' account was
still logged in after getting the above:
test@spock ~ $ getfacl /dev/sg2
getfacl: Removing leading '/' from absolute path names
# file: dev/sg2
# owner: root
# group: root
user::rw-
user:test:rw- <<<< ????
group::---
group:scanner:rw-
mask::rw-
other::---
test@spock ~ $ scanimage -d epson2:/dev/sg2 >/dev/null
test@spock ~ $ ls -l /dev/sg2
crw-rw----+ 1 root root 21, 2 Aug 11 20:13 /dev/sg2
(The scanimage worked fine)
And to confirm:
mike@spock:~$ grep test /etc/group
test:x:1003:
I can explain the 'scanner' group acl entries: checking the libsane udev
rules, I have found an entry
ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw
$env{DEVNAME}"
tucked right at the end (which I'd missed).
But how can my user 'test' - not in the scanner group - use the scanner?
And where could the acl entries like
user:test:rw-
have come from?
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
[toc] | [prev] | [next] | [standalone]
| From | "David W. Hodgins" <dwhodgins@nomail.afraid.org> |
|---|---|
| Date | 2012-08-11 22:37 -0400 |
| Message-ID | <op.wiwpjycfa3w0dxdave@hodgins.homeip.net> |
| In reply to | #138 |
On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote: > But I've just created a 'test' account with no privileges at all; that > works fine as well. I ran the following while my own 'mike' account was > still logged in after getting the above: > > test@spock ~ $ getfacl /dev/sg2 > getfacl: Removing leading '/' from absolute path names > # file: dev/sg2 > # owner: root > # group: root > user::rw- > user:test:rw- <<<< ???? > group::--- > group:scanner:rw- > mask::rw- > other::--- > But how can my user 'test' - not in the scanner group - use the scanner? > And where could the acl entries like > user:test:rw- > have come from? Most likely console-kit-daemon. See http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
[toc] | [prev] | [next] | [standalone]
| From | Mike Scott <usenet.14@scottsonline.org.uk.invalid> |
|---|---|
| Date | 2012-08-13 10:13 +0100 |
| Message-ID | <k0agge$q2a$1@dont-email.me> |
| In reply to | #139 |
On 12/08/12 03:37, David W. Hodgins wrote: > On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott > <usenet.14@scottsonline.org.uk.invalid> wrote: > >> But I've just created a 'test' account with no privileges at all; that >> works fine as well. I ran the following while my own 'mike' account was >> still logged in after getting the above: >> >> test@spock ~ $ getfacl /dev/sg2 >> getfacl: Removing leading '/' from absolute path names >> # file: dev/sg2 >> # owner: root >> # group: root >> user::rw- >> user:test:rw- <<<< ???? >> group::--- >> group:scanner:rw- >> mask::rw- >> other::--- >> But how can my user 'test' - not in the scanner group - use the scanner? >> And where could the acl entries like >> user:test:rw- >> have come from? > > Most likely console-kit-daemon. See > http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html > > Regards, Dave Hodgins > Hmmm. That does seem to be installed (obviously a Mint default; I've not touched this area at all. Looks as though the default setup provides a minor security loophole. Not nice.) No documentation or config stuff that I can find though. (BTW I think you've replied again to my original post, although I think the material's been covered in this subthread already) Thanks for the help advice. -- Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk) Harlow Essex England
[toc] | [prev] | [next] | [standalone]
| From | "David W. Hodgins" <dwhodgins@nomail.afraid.org> |
|---|---|
| Date | 2012-08-11 15:23 -0400 |
| Message-ID | <op.wiv5g2jpa3w0dxdave@hodgins.homeip.net> |
| In reply to | #135 |
On Sat, 11 Aug 2012 03:44:04 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote: > This is all on a mint maya 64-bit system. I'm not sure whether I've hit > a genuine security problem, or whether I've missed something obvious. > > I've a pair of scanners on my system, connected to a scsi interface. > Owing to an error in the udev rules, I've had the ownership of the sg > interfaces set to root, group root, with permissions 0660: > > mike@spock:~$ ls -l /dev/sg2 > crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2 > > My understanding is that this ought to stop 'others' from accessing the > device. Yet I've been happily running sane: > mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null > mike@spock:~$ What's the output of "getfacl /dev/sg2"? Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
[toc] | [prev] | [standalone]
Back to top | Article view | comp.os.linux.security
csiph-web