Bug#94209: marked as done (xmcd: Security fix in -7.1 fatally flawed for scsi drives)

To: Jason Cormie <jason@wormwood666.demon.co.uk>
Subject: Bug#94209: marked as done (xmcd: Security fix in -7.1 fatally flawed for scsi drives)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 29 Dec 2008 01:24:03 +0000
Message-id: <[🔎] handler.94209.D94209.123051368627318.ackdone@bugs.debian.org>
References: <49582611.6010902@wormwood666.demon.co.uk> <E14pKvU-0006sB-00@trixia.ai.mit.edu>

Your message dated Mon, 29 Dec 2008 01:21:21 +0000
with message-id <49582611.6010902@wormwood666.demon.co.uk>
and subject line Done: xmcd: SCSI cdrom works fine these days (if your in the cdrom group)
has caused the Debian Bug report #94209,
regarding xmcd: Security fix in -7.1 fatally flawed for scsi drives
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
94209: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=94209
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: xmcd: Security fix in -7.1 fatally flawed for scsi drives
From: Chris Hanson <cph@zurich.ai.mit.edu>
Date: Mon, 16 Apr 2001 22:09:08 -0400
Message-id: <E14pKvU-0006sB-00@trixia.ai.mit.edu>

Package: xmcd
Version: 2.5pl1-7.1
Severity: normal

The security fix that removed the setuid bit from xmcd fatally breaks
the package on any system that uses a SCSI CD-ROM.  On such a system,
only root may use xmcd.

(Note that this bug is similar to but different from #80345.  That bug
report concerns IDE CD-ROMs, which in my experience work fine provided
that the device-file permissions are set correctly.)

This is not a permissions problem -- the permissions on the CD-ROM
device are irrelevant.  The problem is that xmcd uses an ioctl that
the kernel considers protected.  Here is the relevant output from
strace:

----------------------------------------------------------------------
stat64("/dev/scd0", {st_mode=S_IFBLK|0660, st_rdev=makedev(11, 0), ...}) = 0
open("/dev/scd0", O_RDONLY|O_NONBLOCK|O_EXCL) = 4
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
ioctl(4, 0x1, 0x8110450)                = -1 EACCES (Permission denied)
close(4)                                = 0
----------------------------------------------------------------------

And here is the relevant section of code in the kernel (this is from
"drivers/scsi/scsi_ioctl.c" in Linux 2.4.3, but 2.2.x kernels have the
same code):

----------------------------------------------------------------------
	case SCSI_IOCTL_SEND_COMMAND:
		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
			return -EACCES;
		return scsi_ioctl_send_command((Scsi_Device *) dev,
					     (Scsi_Ioctl_Command *) arg);
----------------------------------------------------------------------

It should be clear from these excerpts that only root can use this
program under Linux.

I understand that there is a security issue here.  But by disabling
the setuid root on xmcd, the security issue is "solved" by making xmcd
unusable on SCSI systems.  I think this one needs to be re-thought.

-- System Information
Debian Release: 2.2
Kernel Version: Linux trixia 2.4.3 #1 Thu Apr 12 11:24:48 EDT 2001 i686 unknown

Versions of the packages xmcd depends on:
ii  cddb           2.5pl1-7.1     CD DataBase support tools
ii  lesstif1       0.89.4-3       OSF/Motif implementation released under LGPL
ii  libc6          2.1.3-18       GNU C Library: Shared libraries and Timezone
ii  libncurses5    5.0-6.0potato1 Shared libraries for terminal handling
ii  xlib6g         4.0.2-11       pseudopackage providing X libraries
ii  zlib1g         1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)

--- End Message ---

--- Begin Message ---

To: 94209-done@bugs.debian.org

Subject: Done: xmcd: SCSI cdrom works fine these days (if your in the cdrom group)

From: Jason Cormie <jason@wormwood666.demon.co.uk>

Date: Mon, 29 Dec 2008 01:21:21 +0000

Message-id: <49582611.6010902@wormwood666.demon.co.uk>
Package: xmcd
Version: 2.6-21

--- Please enter the report below this line. ---

I got a scsi cdrom drive.
Logged in as a normal user that is a member of cdrom
Ran xmcd
It all worked OK...

I guess in the dim and distant past scsi cdroms were for root only, that is no
longer the case.
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#94204: marked as done (xmcd: Security fix in -7.1 fatally flawed for scsi drives)
Next by Date: Bug#100306: marked as done (xmcd does not work as luser with my SCSI-CD-ROM-drive)
Previous by thread: Bug#94204: marked as done (xmcd: Security fix in -7.1 fatally flawed for scsi drives)
Next by thread: Bug#100306: marked as done (xmcd does not work as luser with my SCSI-CD-ROM-drive)
Index(es):
- Date
- Thread