Re: cdrecord local root exploit

[Dr Andrew C Aitchison <A.C.Aitchison () dpmms cam ac uk>]

On Thu, 16 Sep 2004, Jason T. Miller wrote:

> I presume at least some supported OSes provide the ability to assign
> permissions to SCSI passthrough on a per-SCSI device basis, so his
> statement to
>
>   Never  give  write  permissions  for  non  root  users to the
>   /dev/scg? devices unless you would allow anybody to  read/write/format
>   all your disks.
>
> is a bit misleading. It's certainly true if you interpret /dev/scg? as a
> shell wildcard, but why can't I give permissions for non-root users to the
> writable optical devices only, instead of "all [my] disks"?

At this point trusting the kernel to enforce different permissions
on different scsi devices is probably better than trusting cdrecord,
but your suggestion is (only) as good as the kernel's ability to
sanitize scsi requests. If I can send a SCSI request down the SCSI
bus I have the opportunity to exploit any hole in that subsystem.
I belive at one time the kernel wasn't trusted to stop a malicious
user from generating a SCSI request which was received by a different
device than the one the kernel was told was the target.
Since most CD writers are ide-scsi, the scsi permissions enforcer
needs to sanitize requests as they will appear once translated into IDE 
requests, making the problem harder still.

As I say this may well be less of a problem than trusting cdrecord,
but if I were the author of cdrecord but not the kernel I wouldn't
guarantee the safety of the kernel on this (although I might not
declare it unsafe).

-- 
Dr. Andrew C. Aitchison         Computer Officer, DPMMS, Cambridge
A.C.Aitchison () dpmms cam ac uk        http://www.dpmms.cam.ac.uk/~werdna