[Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277228 Warner Losh changed: What|Removed |Added CC||i...@freebsd.org --- Comment #2 from Warner Losh --- On phk's message: i think devfs likely is better... otherwise there are races. But there is no position data for devfs.. I'd just change the modes on geom.ctl to 600. Ownership is long gone by the time we get the message in geom. The only way to grant fine grained control i think is with a daemon to proxie things. Operator can get what it needs without read access to this file... and we should change the open to requiring write perms but that's an incompatible change.. Operator is a super powerful club. Granting it means bad things can happen.. -- You are receiving this mail because: You are the assignee for the bug.
Problem reports for g...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|263853 | geom(4): raid/md_jmicron.c: jmicron RAID taste co 1 problems total for which you should take action.
[Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277228 Kyle Evans changed: What|Removed |Added CC||kev...@freebsd.org --- Comment #3 from Kyle Evans --- The problem is one of the examples given: they can strip it easily enough today, but they want to, e.g., be able to allow a user to partition their USB flash drive but not internal media. Ultimately it'd be kind of nice if gpart checked permissions on devfs nodes for the disks or something to that effect to allow finer access control, but that would seem to get hairy quickly. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277228 --- Comment #4 from Warner Losh --- (In reply to Kyle Evans from comment #3) There's no API for cdevs to get their owners, nor is there any process associated with the request by the time we get into the geom nodes that are fielding the verbs. So it's quite difficult to apply security checks that deeply down in the stack since there's no process context associated with the request. One could do ad-hoc things at that level, but no other drivers do that sort of thing. Once you are past the 'open' check, there's very little else. One could add checks at the ioctl, but you don't know what node(s) the command affects there (without putting all the knowledge of the lower layers into the ioctl). What's unclear to me, though I think it would work, would just be to remove any permission for operator for /dev/geom.ctl (that is make it 0600 permission) I don't think there's anything that operator needs to do its mandate (such as it still is) that it can't get from other sources. Operator already can read all the data in your system, though, so there's already a fair amount of trust in operator. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277228 --- Comment #5 from Vincent Stemen --- Are there any architectural limitations that would prevent you from making gpart run under setuid or setgid using the same group ID as geom.ctl (something other than operator, so that drives can still belong to operator group for backups. etc), then let gpart check the permissions on the individual devices before allowing you to modify the partition table? It seems that that you could do this with any tool that needs *.ctl permissions. -- You are receiving this mail because: You are the assignee for the bug.
