Re: Advice packaging jazip (suid!!)

To: Ben Collins <bmc@it.larc.nasa.gov>
Cc: debian-mentors@lists.debian.org
Subject: Re: Advice packaging jazip (suid!!)
From: Peter S Galbraith <GalbraithP@dfo-mpo.gc.ca>
Date: Mon, 16 Nov 1998 23:02:12 -0500
Message-id: <[🔎] 199811170402.XAA07591@mixing.qc.dfo.ca>
In-reply-to: (Your message of Mon, 16 Nov 1998 16:40:37 EST.) <19981116164037.J19583@it.larc.nasa.gov>

Ben Collins wrote:

> On Mon, Nov 16, 1998 at 04:30:02PM -0500, Peter S Galbraith wrote:
> >                                     If we simply put users in group `disk',
> > this creates a security hole since they will have read-access to raw scsi
> > disks other than the zip and jaz disk.
> 
> And having it suid root _doesn't_ give them even more access to read raw
> scsi devices as well as just about anything else on the system? I'm not
> sure about you, but i wouldn't want a fairly newly developed program to be
> suid on my system.

To be fair, jazip has existed (and has been used extensively) for _years_
now, so it's not new (only new to Debian).

> I think group disk was implemented for just this type of situation, and
> would work fine based on your description. Also it would not allow them
> access to disks which aren't jaz since you already said that it implements
> some sort of check for this.

Yes, jazip does check this.  But if we add a user to the disk group, that
user gets read access to raw disk devices _outside_ of jazip, right?  If we
don't do that, and leave jazip suid root to do its own security, then users
don't need nor do they get read-access to all raw disk devices (from which,
I assume, they could `dd' the contents over to a file and read files they
don't otherwise have access to).

Unless I'm missing something, I think that adding users to group disk is
bad.  I think trusting jazip to be secure is a better solution.  However,
the most secure thing to do would be to:

 - create a new `jazip' group.
 - put selected users in that group to use jazip.
 - change the group ID of zip or jaz raw scsi device to `jazip' and make
   it group `rw'.

This way, users do _not_ get read access to all raw disk devices.
Unless we are willing to do this, I think I should leave jazip suid-root.

>                              Plus if they are sitting in front of the
> system (which they need to be to use a zip drive) they have 'extended'
> access any way, 

True...
>                 why make add another suid binary that isn't necessary?

Because adding users to the `disk' group is worse security.  Or am I
missing something?

BTW, the jazip author is very open to discussing this.  He very security
concious, has thought a lot about this, and has not received a suid-exploit
bug report since releasing this software.

Thanks for your interest, opinions and advice.

(Do I get final say as package maintainer?  Or do suid-root binaries
 require special permissions from Debian guru developers?)
-- 
Peter Galbraith, research scientist          <GalbraithP@dfo-mpo.gc.ca>
Maurice Lamontagne Institute, Department of Fisheries and Oceans Canada
P.O. Box 1000, Mont-Joli Qc, G5H 3Z4 Canada. 418-775-0852 FAX: 775-0546
    6623'rd GNU/Linux user at the Counter - http://counter.li.org/

Reply to:

Follow-Ups:
- Re: Advice packaging jazip (suid!!)
  - From: robbie@scot-mur.demon.co.uk

Prev by Date: Re: Advice packaging jazip (suid!!)
Next by Date: Re: Checking if directory is empty in postrm
Previous by thread: Re: Source in upload?
Next by thread: Re: Advice packaging jazip (suid!!)
Index(es):
- Date
- Thread