Date: Tue, 19 Nov 2002 17:46:52 +1100 From: Tim Robbins <tjr@FreeBSD.ORG> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.ORG Subject: Re: Device permissions with DEVFS Message-ID: <20021119174652.A74461@dilbert.robbins.dropbear.id.au> In-Reply-To: <20021119050304.GA2608@rot13.obsecurity.org>; from kris@obsecurity.org on Mon, Nov 18, 2002 at 09:03:06PM -0800 References: <20021119050304.GA2608@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 18, 2002 at 09:03:06PM -0800, Kris Kennaway wrote:
> Something that needs to be addressed before 5.0 is the insecure
> default permissions on many devices. For example, on my system, the
> following devices have insecure permissions on 5.0 (but not on 4.x
> with the default MAKEDEV settings):
>
> crw-r--r-- 1 root operator 117, 0 Nov 18 14:49 acd0
>
> crw-rw-rw- 1 root wheel 21, 1 Nov 18 14:49 psm0
>
> crw-rw-rw- 1 root wheel 180, 0 Nov 18 14:49 nvidia0
> (This one isn't part of FreeBSD, but I might as well report it now)
>
> crw-rw-rw- 1 root wheel 30, 3 Nov 14 21:30 dsp0.0
> crw-rw-rw- 1 root wheel 30, 0x00010003 Nov 8 23:38 dsp0.1
> crw-rw-rw- 1 root wheel 30, 5 Nov 8 23:38 dspW0.0
> crw-rw-rw- 1 root wheel 30, 0x00010005 Nov 8 23:38 dspW0.1
> crw-rw-rw- 1 root wheel 30, 11 Nov 8 23:38 dspr0.0
>
> These have the same permissions on 4.x, but they're still insecure
> (unprivileged users can read from a microphone).
>
> I'm sure there are others I have missed. Could everyone please check
> their /dev (better, check the kernel source)?
I'm glad you brought this up... I'd like to see /dev/devctl made mode 600
instead of 644 because it does not look very robust and because only one
devctl can be open at a time.
The two other security/reliability bugs I can see are that the async
(ioctl FIOASYNC) and non-blocking (ioctl FIONBIO) flags are not cleared
between when one process closes the device and another opens it. Leaving
the non-blocking flag set confuses devd(8) causing it to exit immediately.
Leaving the async I/O flag set could cause the kernel to try to send
SIGIO with a stale thread pointer, possibly leading to a panic or the
wrong thread getting the signal.
I suggest this patch...
o More restrictive permissions on /dev/devctl (was 644, now 600)
o Clear nonblock and async flags across open/close
Index: subr_bus.c
===================================================================
RCS file: /x/freebsd/src/sys/kern/subr_bus.c,v
retrieving revision 1.116
diff -u -r1.116 subr_bus.c
--- subr_bus.c 7 Nov 2002 22:38:04 -0000 1.116
+++ subr_bus.c 19 Nov 2002 06:14:06 -0000
@@ -248,7 +248,7 @@
static void
devinit(void)
{
- devctl_dev = make_dev(&dev_cdevsw, 0, 0, 0, 0644, "devctl");
+ devctl_dev = make_dev(&dev_cdevsw, 0, 0, 0, 0600, "devctl");
mtx_init(&devsoftc.mtx, "dev mtx", "devd", MTX_DEF);
cv_init(&devsoftc.cv, "dev cv");
TAILQ_INIT(&devsoftc.devq);
@@ -261,6 +261,9 @@
return (EBUSY);
/* move to init */
devsoftc.inuse = 1;
+ devsoftc.nonblock = 0;
+ devsoftc.async = 0;
+ devsoftc.async_td = NULL;
return (0);
}
It looks like there are some races involving devsoftc, the softc mutex
should probably be locked around checking the inuse flag in devopen(),
around clearing it in devclose(), around setting async and async_td in
devioctl() FIOASYNC case, around checking inuse and async_td in
devaddq().
Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119174652.A74461>