154693 – sys-apps/eject user can unmount / ?

Bug 154693 - sys-apps/eject user can unmount / ?

Summary: sys-apps/eject user can unmount / ?

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/bugzilla/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-10 09:13 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2006-11-26 11:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-10 09:13:03 UTC

Redhat bug says:

Description of problem:
Running eject /dev/hda (my hard disc) as an unprivileged user causes /boot (and
other filesystems) to be unmounted. The program returns an invalid argument
error, but the following is left in dmesg:

ide_do_rw_disk - bad command: dev hda: flags = REQ_RW REQ_SOFTBARRIER
REQ_NOMERGE REQ_STARTED REQ_ELVPRIV REQ_BLOCK_PC 
sector 41895, nr/cnr 8/1
bio 00000000, biotail 00000000, buffer 00000000, data 00000000, len 0
cdb: 1b 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 


Version-Release number of selected component (if applicable):
kernel-2.6.18-1.2798.fc6
eject-2.1.5-4.1.fc6

How reproducible:
Always.

Steps to Reproduce:
1. eject /dev/hda
  
Actual results:

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hda2 on /boot type ext3 (rw)
/dev/hda1 on /mnt/winxp type ntfs (ro,noexec,umask=0222)

$ eject /dev/hda
eject: unable to eject, last error: Invalid argument

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)


Expected results:
/boot and others stay mounted!

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-10 09:13:54 UTC

I cannot reproduce it here, but the output seems a bit odd:

$ eject /dev/hda
Error: could not determine real path of the device: No such file or directory
eject: unmount of `/' failed

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 22:03:07 UTC

base-system please advise.

Comment 3 Roy Marples (RETIRED) gentoo-dev

2006-11-21 01:52:10 UTC

(In reply to comment #2)
> base-system please advise.

I cannot reproduce it on my stable servers (/ raid), or my unstable arches (/ ext3 single disk).

The eject code is pretty simple also, it just seeds the eject io.
However, it does unmount all partitions on the same disk, so if you eject /dev/sda6 (or a directory mounted on /dev/sda6) it will umount /dev/sda[0-9]*.

eject does not try to raise it's privilege level in any way, so if this is an error it's in the kernel or the user stupidly has the binary suid in which case I'd say this is expected behaviour.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-21 02:30:09 UTC

Thx Uberlord.

Closing this one as INVALID.

Comment 5 SpanKY gentoo-dev

2006-11-26 11:12:15 UTC

if anything, that bug report makes it look like a bug in the kernel, not in the userspace eject utility