Bugtraq mailing list archives
Re: cdrecord local root exploit
From: Dr Andrew C Aitchison <A.C.Aitchison () dpmms cam ac uk>
Date: Mon, 27 Sep 2004 08:49:18 +0100 (BST)
On Thu, 16 Sep 2004, Jason T. Miller wrote:
I presume at least some supported OSes provide the ability to assign permissions to SCSI passthrough on a per-SCSI device basis, so his statement to Never give write permissions for non root users to the /dev/scg? devices unless you would allow anybody to read/write/format all your disks. is a bit misleading. It's certainly true if you interpret /dev/scg? as a shell wildcard, but why can't I give permissions for non-root users to the writable optical devices only, instead of "all [my] disks"?
At this point trusting the kernel to enforce different permissions on different scsi devices is probably better than trusting cdrecord, but your suggestion is (only) as good as the kernel's ability to sanitize scsi requests. If I can send a SCSI request down the SCSI bus I have the opportunity to exploit any hole in that subsystem. I belive at one time the kernel wasn't trusted to stop a malicious user from generating a SCSI request which was received by a different device than the one the kernel was told was the target. Since most CD writers are ide-scsi, the scsi permissions enforcer needs to sanitize requests as they will appear once translated into IDE requests, making the problem harder still. As I say this may well be less of a problem than trusting cdrecord, but if I were the author of cdrecord but not the kernel I wouldn't guarantee the safety of the kernel on this (although I might not declare it unsafe). -- Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge A.C.Aitchison () dpmms cam ac uk http://www.dpmms.cam.ac.uk/~werdna
Current thread:
- cdrecord local root exploit newbug Tseng (Sep 10)
- Re: cdrecord local root exploit Sean Davis (Sep 13)
- Message not available
- Re: cdrecord local root exploit Sean Davis (Sep 13)
- Message not available
- Re: cdrecord local root exploit Volker Kuhlmann (Sep 14)
- Re: cdrecord local root exploit Marcus Meissner (Sep 16)
- Re: cdrecord local root exploit Coleman (Sep 16)
- Re: cdrecord local root exploit Jason T. Miller (Sep 16)
- Re: cdrecord local root exploit Dr Andrew C Aitchison (Sep 27)
- Re: cdrecord local root exploit Jason T. Miller (Sep 30)
- Re: cdrecord local root exploit Sean Davis (Sep 13)