100116 – udev-063 sets bad permissions on disks

Bug 100116 - udev-063 sets bad permissions on disks

Summary: udev-063 sets bad permissions on disks

Status:	RESOLVED DUPLICATE of bug 100115

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-07-24 07:02 UTC by apache
Modified:	2005-07-24 07:04 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description apache 2005-07-24 07:02:26 UTC

udev sets permissions for partitions to root:root which is ok, but it sets
permissions for disks to root:disk. That means every ordinary user with group
disk can run commands like this:

cat /dev/hda /home/foobar/out.txt
dd if=/dev/zero of=/dev/hda

That should not be possible. If a program has a security hole and runs one of
this commands, it can damage the whole system without root permissions.

Problem is already discussed here:
http://forums.gentoo.org/viewtopic-p-2597592.html#2597592

Reproducible: Always
Steps to Reproduce:
Attention! Do not perform the following actions, just read it !

1. Login with a user in group disk
2. Run dd if=/dev/zero of=/dev/hda
3. Reinstall gentoo *g*

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-24 07:04:06 UTC


*** This bug has been marked as a duplicate of 100115 ***