Bug 92823

Summary:	Bestcrypt does not set udev permissions for non-root access
Product:	Gentoo Linux	Reporter:	Venky TV <4ct2siy02>
Component:	New packages	Assignee:	Crypto team [DISABLED] <crypto+disabled>
Status:	RESOLVED WONTFIX
Severity:	minor
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Venky TV 2005-05-16 12:04:41 UTC

The bestcrypt ebuild does not support non-root usage of the tool. I had to make the /usr/bin/bctool binary suid root as well as create the following file:

===> /etc/udev/rules.d/50-bcrypt.rules <===
KERNEL="bcrypt[0-9]*"   NAME="%k", MODE="0666"

Should these instructions go into the ebuild as einfo messages along with the usual "This is considered a security risk on multiuser systems" caveat?  I am especially concerned about the udev device permissions issue, because this is not straightforward to figure out.

Reproducible: Always
Steps to Reproduce:
1. emerge bestcrypt
2. bctool mount <encrypted-file> <mount-point>

Actual Results:  
$ bctool mount <encrypted-file> <mount-point>
This program must be run as root or have the SUID attribute set
$ sudo chmod +s /usr/bin/bctool
$ bctool mount <encrypted-file> <mount-point>
Can not find free device

Expected Results:  
Mounted the encrypted filesystem.

Comment 1 Daniel Black (RETIRED) gentoo-dev

2005-05-23 05:15:08 UTC

this looks far too dangerous even with warnings. If a user wants to use this  
they can use sudo.  
 
When things like bctool /dev/hda ... can be done as an ordinary user is really  
bad.  
  
A strace on bctool should reveil the udev problem quickly enough.  
 
If bctool has some built in limitations as suid this may be acceptable but as 
I see it now it really isn't acceptable. No other gentoo program that I'm 
aware of allows this much control to a non-root users.