You are not logged in.

Pages: 1

#1 2006-10-22 02:53:58

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

CFDisk let me edit partition table as user

I find this interesting... I forgot to sudo while running cfdisk, and it allowed me to edit my partition table as a normal user. And write the changes. I don't like this, it seems a bit of a security hole if anybody can log in and clobber partitions.

I note that my user has group rw positions on the /dev/sdb device, as a member of the disk group. I can't remember what the purpose of this group is, my user may be in it for accessing the cdrom drive.

I also notice that cfdisk is in /sbin/, and that all users have execute permissions on this program.

Now, what would be the best way to prevent this from happening. Yeah, I could change permissions on the file, but I'm curious to know if there's something else I've overlooked. Its a great convenience that I can run the command myself, but I don't want it happening for the other users I occasionally allow to log into the system, nor for users who manage to hack their way in, but don't manage to hack root.

Note: I also have the permissions to run mke2fs. I think it must be from being in the disk group.

Dusty

** Arch Linux Apparel and more ** Arch Linux stickers, laptop bags, jewelery ** I wrote a book on Python 3 ** and one on mental health **

Offline

#2 2006-10-22 03:04:24

ganja_guru
Member
Registered: 2005-02-14
Posts: 464

Re: CFDisk let me edit partition table as user

i don't think the user should be in 'disk' group.. cdrom drives are handled by 'optical' and flash/removable media by 'storage'. AFAIK disk group is meant for partition related stuff.

Offline

#3 2006-10-22 03:10:07

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Re: CFDisk let me edit partition table as user

Interesting, I wonder why I have my user in that group. My memory is failing. sad

Dusty

** Arch Linux Apparel and more ** Arch Linux stickers, laptop bags, jewelery ** I wrote a book on Python 3 ** and one on mental health **

Offline

#4 2006-10-22 11:34:56

detto
Member
Registered: 2006-01-23
Posts: 510

Re: CFDisk let me edit partition table as user

Mhh, interesting. I always added myself to this group because i heard of it and it sounded like s.th. for discs or the like, but sure... group disks is of that big_smile Any chance where to get a list or s.th. like that that represents ALL groups uses in ArchLinux ?

cheers,
deTTo

Offline

#5 2006-10-22 12:37:15

Bralkein
Member
Registered: 2004-10-26
Posts: 354

Re: CFDisk let me edit partition table as user

Hmm, well I always aimed to add my user account to as few groups as possible, for the security reasons discovered here! I think the /etc/group file should have more comments in it, explaining the relative safety of adding normal users to certain groups.

Offline

#6 2006-10-23 04:36:30

cin
Member
Registered: 2006-10-23
Posts: 2

Re: CFDisk let me edit partition table as user

Well, my user is not in disk group, being in storage group is enough for cfdisk to let him do partitioning of /dev/sda. /dev/hdx are safe, though.

[ass@zzz ~]$ ls -l /dev/sda
brw-rw---- 1 root storage 8, 0 2006-10-23 04:33 /dev/sda
[ass@zzz ~]$ ls -l /dev/hda
brw-rw---- 1 root disk 3, 0 2006-10-23 04:33 /dev/hda

Removing him from the group fixes this (after reboot).
I added him to storage and optical groups for convenient use of cdrom/usb stick as required by kde/hal combo.
Maybe wouldn't mind messing up my usb stick, but as it happens /dev/sda is a fixed scsi disk.

Guessing this behaviour is caused by udev.rules

# default permissions for all block devices
SUBSYSTEM=="block",     GROUP="disk"

# permissions for removable devices like cardreaders or sticks
KERNEL=="sd*", ATTRS{scsi_level}=="3", ATTRS{type}=="0", GROUP="storage"

# permissions for firewire external drives
KERNEL=="sd*", ATTRS{scsi_level}=="5", GROUP="storage"

# permissions for usb to scsi external adapters
KERNEL=="sd*", ATTRS{scsi_level}=="3", ATTRS{type}=="7", GROUP="storage"

That's all rules referring to "storage" group and sd* devices in my /etc/udev.rules (as installed by pacman)

Now, I'd like udev to differentiate between my fixed and removable /dev/sd*. Anyone knows what needs to be changed?

Offline

#7 2006-10-27 11:10:40

solstice
Member
Registered: 2006-10-27
Posts: 237
Website

Re: CFDisk let me edit partition table as user

you could make a custom udev rule to recognize your hardware:
it will be specific to your hardware (not general)

look at http://www.reactivated.net/writing_udev_rules.html

you need a rule like that
BUS=="scsi", SYSFS{model}=="ST3120827AS", GROUP=disk

modified to the right model. use udevinfo for that to find it and plce it in one file in /etc/udev/rules.d
for example, 99-local.rules

Offline

#8 2006-10-27 12:12:54

Romashka
Forum Fellow
Registered: 2005-12-07
Posts: 1,054

Re: CFDisk let me edit partition table as user

solstice wrote:

you need a rule like that
BUS=="scsi", SYSFS{model}=="ST3120827AS", GROUP=disk

IIRC, SYSFS should be replaced with ATTRS with the newest udev.

to live is to die

Offline

Pages: 1

Board footer

Powered by FluxBB