Your message dated Mon, 29 Dec 2008 01:21:21 +0000 with message-id <49582611.6010902@wormwood666.demon.co.uk> and subject line Done: xmcd: SCSI cdrom works fine these days (if your in the cdrom group) has caused the Debian Bug report #94209, regarding xmcd: Security fix in -7.1 fatally flawed for scsi drives to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 94209: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=94209 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: xmcd: Security fix in -7.1 fatally flawed for scsi drives
- From: Chris Hanson <cph@zurich.ai.mit.edu>
- Date: Mon, 16 Apr 2001 22:09:08 -0400
- Message-id: <E14pKvU-0006sB-00@trixia.ai.mit.edu>
Package: xmcd Version: 2.5pl1-7.1 Severity: normal The security fix that removed the setuid bit from xmcd fatally breaks the package on any system that uses a SCSI CD-ROM. On such a system, only root may use xmcd. (Note that this bug is similar to but different from #80345. That bug report concerns IDE CD-ROMs, which in my experience work fine provided that the device-file permissions are set correctly.) This is not a permissions problem -- the permissions on the CD-ROM device are irrelevant. The problem is that xmcd uses an ioctl that the kernel considers protected. Here is the relevant output from strace: ---------------------------------------------------------------------- stat64("/dev/scd0", {st_mode=S_IFBLK|0660, st_rdev=makedev(11, 0), ...}) = 0 open("/dev/scd0", O_RDONLY|O_NONBLOCK|O_EXCL) = 4 ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) ioctl(4, 0x1, 0x8110450) = -1 EACCES (Permission denied) close(4) = 0 ---------------------------------------------------------------------- And here is the relevant section of code in the kernel (this is from "drivers/scsi/scsi_ioctl.c" in Linux 2.4.3, but 2.2.x kernels have the same code): ---------------------------------------------------------------------- case SCSI_IOCTL_SEND_COMMAND: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES; return scsi_ioctl_send_command((Scsi_Device *) dev, (Scsi_Ioctl_Command *) arg); ---------------------------------------------------------------------- It should be clear from these excerpts that only root can use this program under Linux. I understand that there is a security issue here. But by disabling the setuid root on xmcd, the security issue is "solved" by making xmcd unusable on SCSI systems. I think this one needs to be re-thought. -- System Information Debian Release: 2.2 Kernel Version: Linux trixia 2.4.3 #1 Thu Apr 12 11:24:48 EDT 2001 i686 unknown Versions of the packages xmcd depends on: ii cddb 2.5pl1-7.1 CD DataBase support tools ii lesstif1 0.89.4-3 OSF/Motif implementation released under LGPL ii libc6 2.1.3-18 GNU C Library: Shared libraries and Timezone ii libncurses5 5.0-6.0potato1 Shared libraries for terminal handling ii xlib6g 4.0.2-11 pseudopackage providing X libraries ii zlib1g 1.1.3-5 compression library - runtime ^^^ (Provides virtual package libz1)
--- End Message ---
--- Begin Message ---
- To: 94209-done@bugs.debian.org
- Subject: Done: xmcd: SCSI cdrom works fine these days (if your in the cdrom group)
- From: Jason Cormie <jason@wormwood666.demon.co.uk>
- Date: Mon, 29 Dec 2008 01:21:21 +0000
- Message-id: <49582611.6010902@wormwood666.demon.co.uk>
Package: xmcd Version: 2.6-21 --- Please enter the report below this line. --- I got a scsi cdrom drive. Logged in as a normal user that is a member of cdrom Ran xmcd It all worked OK... I guess in the dim and distant past scsi cdroms were for root only, that is no longer the case.Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---