Re: linhdd concerns

To: debian-project@lists.debian.org
Cc: Steve Langasek <vorlon@debian.org>
Subject: Re: linhdd concerns
From: Bas Wijnen <wijnen@debian.org>
Date: Tue, 27 Nov 2007 12:18:32 +0100
Message-id: <[🔎] 20071127111832.GB6473@pcbcn10.phys.rug.nl>
Mail-followup-to: debian-project@lists.debian.org, Steve Langasek <vorlon@debian.org>
In-reply-to: <[🔎] 20071127073806.GA22540@dario.dodds.net>
References: <[🔎] E1Ivc9G-0000xq-Iq@ries.debian.org> <[🔎] 20071123175505.GU18081@deprecation.cyrius.com> <[🔎] 20071123184924.GI15002@einval.com> <[🔎] 20071124141406.GC29746@blae.erisian.com.au> <[🔎] 85c01b290711240804j2b843a2bked2c550903e5acdb@mail.gmail.com> <[🔎] 20071126155122.GC10732@blae.erisian.com.au> <[🔎] fifbkt$sni$1@ger.gmane.org> <[🔎] 20071127073806.GA22540@dario.dodds.net>

On Mon, Nov 26, 2007 at 11:38:06PM -0800, Steve Langasek wrote:
> On Mon, Nov 26, 2007 at 09:51:35PM +0100, Leo costela Antunes wrote:
> > What information does linhdd need from fdisk?
> > Fdisk seems to run just fine as a normal user on Debian. The issues
> > seems to be that /dev/{s,h}d* are directly readable only by members of
> > the group 'disk'.
> > Perhaps instead of packaging this 'abs_fdisk', which AFAICT is just a
> > "read-only non-root" fdisk, you could just create a setuid wrapper to
> > the normal fdisk and use it from linhdd?
> 
> No, that would be a security hole.  Even making it setgid disk would be a
> security hole, since the disk group has write access to all disk devices.

The idea of the wrapper would of course be that it would only allow read
access, so the write access is not a problem.

If I understand the case correctly, abs_fdisk is a modified read-only
setuid root version of fdisk, which is used by linhdd to get some info
which is also available to everyone under /proc.  Providing this info is
obviously not a security problem (as long as abs_fdisk is not buggy).
However, "a read-only version of fdisk" can likely get much more info
than just what is available in /proc.  The fact that linhdd doesn't use
that doesn't make it unavailable.  It seems to me that this approach
introduces security issues (allowing read access that shouldn't be
allowed, plus an extra setuid root (or setgid disk) binary which must
not be buggy) that should better be avoided.

Would it be very hard to write a script which does the same as abs_fdisk
(and can be used as a drop-in replacement), but gets its info from
/proc, and doesn't need elevated permissions?

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://pcbcn10.phys.rug.nl/e-mail.html

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Updated Debian Maintainers Keyring
  - From: Joey Hess <joeyh@debian.org>
- Re: Updated Debian Maintainers Keyring
  - From: Martin Michlmayr <tbm@cyrius.com>
- Re: Updated Debian Maintainers Keyring
  - From: Steve McIntyre <steve@einval.com>
- linhdd concerns (was: Re: Updated Debian Maintainers Keyring)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: linhdd concerns (was: Re: Updated Debian Maintainers Keyring)
  - From: "Kartik Mistry" <kartik.mistry@gmail.com>
- Re: linhdd concerns (was: Re: Updated Debian Maintainers Keyring)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: linhdd concerns
  - From: "Leo \"costela\" Antunes" <costela@debian.org>
- Re: linhdd concerns
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Updated Debian Maintainers Keyring
Next by Date: Proposed removal of spam from the debian-project mailing list web archives
Previous by thread: Re: linhdd concerns
Next by thread: Re: linhdd concerns
Index(es):
- Date
- Thread