• sg (scsi) device permissions not effective

    From Mike Scott@110:300/1.1 to All on Sat Aug 11 09:44:04 2012
    This is all on a mint maya 64-bit system. I'm not sure whether I've hit
    a genuine security problem, or whether I've missed something obvious.

    I've a pair of scanners on my system, connected to a scsi interface.
    Owing to an error in the udev rules, I've had the ownership of the sg interfaces set to root, group root, with permissions 0660:

    mike@spock:~$ ls -l /dev/sg2
    crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2

    My understanding is that this ought to stop 'others' from accessing the
    device. Yet I've been happily running sane:
    mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null
    mike@spock:~$


    On investigation, it appears that it's possible for a non-root user to
    do an open() on these sg devices: the code fragment

    char *dev = "/dev/sg2";
    int q = open(dev, O_RDWR);
    printf(" open return = %d\n", q);

    returns a good file descriptor.

    Furthermore, it's clearly also possible to then execute ioctl() on that descriptor, which is enough for sane to use the scanner - I've run
    scanimage under strace to check on this.

    (As a check, if I create a root-owned ordinary /file/ with the same 660 permissions and run the same test program, it fails as expected with a permissions error.)


    Has anyone else noticed anything similar please? Or can anyaone
    reproduce the problem?

    (For completeness:
    mike@spock:~$ groups
    staff adm dialout fax cdrom floppy tape sudo audio dip video plugdev
    fuse scanner lpadmin netdev saned powerdev
    Note the sg devices are /not/ group 'scanner' as they really should have
    been)


    (Apologies if this isn't a suitable forum for this)


    --
    Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
    Harlow Essex England

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Scott family (110:300/1.1@linuxnet)
  • From Robert Nichols@110:300/1.1 to All on Sat Aug 11 19:14:05 2012
    On 08/11/2012 02:44 AM, Mike Scott wrote:
    I've a pair of scanners on my system, connected to a scsi interface.
    Owing to an error in the udev rules, I've had the ownership of the sg interfaces set to root, group root, with permissions 0660:

    mike@spock:~$ ls -l /dev/sg2
    crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2

    My understanding is that this ought to stop 'others' from accessing the device. Yet I've been happily running sane:
    mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
    mike@spock:~$


    On investigation, it appears that it's possible for a non-root user to
    do an open() on these sg devices: the code fragment

    char *dev = "/dev/sg2";
    int q = open(dev, O_RDWR);
    printf(" open return = %d\n", q);

    returns a good file descriptor.

    What access permissions does "getfacl /dev/sg2" report?

    --
    Bob Nichols AT comcast.net I am "RNichols42"

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Exiguous (110:300/1.1@linuxnet)
  • From David W. Hodgins@110:300/1.1 to All on Sat Aug 11 21:23:16 2012
    On Sat, 11 Aug 2012 03:44:04 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote:

    This is all on a mint maya 64-bit system. I'm not sure whether I've hit
    a genuine security problem, or whether I've missed something obvious.

    I've a pair of scanners on my system, connected to a scsi interface.
    Owing to an error in the udev rules, I've had the ownership of the sg interfaces set to root, group root, with permissions 0660:

    mike@spock:~$ ls -l /dev/sg2
    crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2

    My understanding is that this ought to stop 'others' from accessing the device. Yet I've been happily running sane:
    mike@spock:~$ scanimage -depson2:/dev/sg2 >/dev/null
    mike@spock:~$

    What's the output of "getfacl /dev/sg2"?

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Mike Scott@110:300/1.1 to All on Sat Aug 11 21:46:24 2012
    On 11/08/12 18:14, Robert Nichols wrote:
    On 08/11/2012 02:44 AM, Mike Scott wrote:
    I've a pair of scanners on my system, connected to a scsi interface.
    Owing to an error in the udev rules, I've had the ownership of the sg
    interfaces set to root, group root, with permissions 0660:

    mike@spock:~$ ls -l /dev/sg2
    crw-rw----+ 1 root root 21, 2 Aug 11 08:42 /dev/sg2

    My understanding is that this ought to stop 'others' from accessing the
    device. Yet I've been happily running sane:
    mike@spock:~$ scanimage -depson2:/dev/sg2>/dev/null
    mike@spock:~$


    On investigation, it appears that it's possible for a non-root user to
    do an open() on these sg devices: the code fragment

    char *dev = "/dev/sg2";
    int q = open(dev, O_RDWR);
    printf(" open return = %d\n", q);

    returns a good file descriptor.

    What access permissions does "getfacl /dev/sg2" report?


    Thanks for replying.

    I get:

    mike@spock:~$ getfacl /dev/sg2
    getfacl: Removing leading '/' from absolute path names
    # file: dev/sg2
    # owner: root
    # group: root
    user::rw-
    user:mike:rw- <<<< ????
    group::---
    group:scanner:rw-
    mask::rw-
    other::---


    Which on the face of it might start to explain things.

    But I've just created a 'test' account with no privileges at all; that
    works fine as well. I ran the following while my own 'mike' account was
    still logged in after getting the above:

    test@spock ~ $ getfacl /dev/sg2
    getfacl: Removing leading '/' from absolute path names
    # file: dev/sg2
    # owner: root
    # group: root
    user::rw-
    user:test:rw- <<<< ????
    group::---
    group:scanner:rw-
    mask::rw-
    other::---

    test@spock ~ $ scanimage -d epson2:/dev/sg2 >/dev/null
    test@spock ~ $ ls -l /dev/sg2
    crw-rw----+ 1 root root 21, 2 Aug 11 20:13 /dev/sg2

    (The scanimage worked fine)


    And to confirm:
    mike@spock:~$ grep test /etc/group
    test:x:1003:

    I can explain the 'scanner' group acl entries: checking the libsane udev
    rules, I have found an entry

    ENV{libsane_matched}=="yes", RUN+="/bin/setfacl -m g:scanner:rw
    $env{DEVNAME}"

    tucked right at the end (which I'd missed).

    But how can my user 'test' - not in the scanner group - use the scanner?
    And where could the acl entries like

    user:test:rw-

    have come from?



    --
    Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
    Harlow Essex England

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Scott family (110:300/1.1@linuxnet)
  • From David W. Hodgins@110:300/1.1 to All on Sun Aug 12 04:37:00 2012
    On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote:

    But I've just created a 'test' account with no privileges at all; that
    works fine as well. I ran the following while my own 'mike' account was
    still logged in after getting the above:

    test@spock ~ $ getfacl /dev/sg2
    getfacl: Removing leading '/' from absolute path names
    # file: dev/sg2
    # owner: root
    # group: root
    user::rw-
    user:test:rw- <<<< ????
    group::---
    group:scanner:rw-
    mask::rw-
    other::---
    But how can my user 'test' - not in the scanner group - use the scanner?
    And where could the acl entries like
    user:test:rw-
    have come from?

    Most likely console-kit-daemon. See http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Mike Scott@110:300/1.1 to All on Mon Aug 13 11:13:49 2012
    On 12/08/12 03:37, David W. Hodgins wrote:
    On Sat, 11 Aug 2012 15:46:24 -0400, Mike Scott <usenet.14@scottsonline.org.uk.invalid> wrote:

    But I've just created a 'test' account with no privileges at all; that
    works fine as well. I ran the following while my own 'mike' account was
    still logged in after getting the above:

    test@spock ~ $ getfacl /dev/sg2
    getfacl: Removing leading '/' from absolute path names
    # file: dev/sg2
    # owner: root
    # group: root
    user::rw-
    user:test:rw- <<<< ????
    group::---
    group:scanner:rw-
    mask::rw-
    other::---
    But how can my user 'test' - not in the scanner group - use the scanner?
    And where could the acl entries like
    user:test:rw-
    have come from?

    Most likely console-kit-daemon. See http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/consolekit.html

    Regards, Dave Hodgins


    Hmmm. That does seem to be installed (obviously a Mint default; I've not touched this area at all. Looks as though the default setup provides a
    minor security loophole. Not nice.) No documentation or config stuff
    that I can find though.


    (BTW I think you've replied again to my original post, although I think
    the material's been covered in this subthread already)


    Thanks for the help advice.





    --
    Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
    Harlow Essex England

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Scott family (110:300/1.1@linuxnet)