Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 100116

Summary: udev-063 sets bad permissions on disks
Product: Gentoo Security Reporter: apache <admin>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description apache 2005-07-24 07:02:26 UTC 
udev sets permissions for partitions to root:root which is ok, but it sets
permissions for disks to root:disk. That means every ordinary user with group
disk can run commands like this:

cat /dev/hda /home/foobar/out.txt
dd if=/dev/zero of=/dev/hda

That should not be possible. If a program has a security hole and runs one of
this commands, it can damage the whole system without root permissions.

Problem is already discussed here:
http://forums.gentoo.org/viewtopic-p-2597592.html#2597592

Reproducible: Always
Steps to Reproduce:
Attention! Do not perform the following actions, just read it !

1. Login with a user in group disk
2. Run dd if=/dev/zero of=/dev/hda
3. Reinstall gentoo *g*
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-24 07:04:06 UTC 

*** This bug has been marked as a duplicate of 100115 ***