Date: Sat, 17 Feb 2024 16:41:34 -0600 From: Vincent Stemen <vince.bsd@hightek.org> To: freebsd-stable@freebsd.org Subject: gpart device permissions security hole (/dev/geom.ctl) Message-ID: <ZdE2Hm6y5Fel2etP@marble.hightek.org>
next in thread | raw e-mail | index | archive | help
Hi. In the process of writing some systems administration tools on FreeBSD 13.1-RELEASE to custom partition drives and setup computers for our network and our customers, I have discovered that any user belonging to the 'operator' group has the power to completely delete the partition table and wipe out the whole system, just because the drive devices belong to that group, even if there is no read or write access to the devices by the group. I had to do a lot of research to find out, via mention on the freebsd irc after I asked and had considerable discussion, that these permissions are granted by just having read access for the group for /dev/geom.ctl. I found no documentation in general searches explaining this and no mention of it in the man pages such as for gpart or geom. It seems like a bizarre design choice to me. It is very counter intuitive to see devices that have no write access and even no read access, yet be able to do something as critical as delete the entire partition table by just belonging to the group. I have been a Unix systems administrator for well over 35 years and It's not uncommon for administrators to belong to the operator group for restricted admin tasks. It is completely unexpected to discover the user can wipe out the whole system. https://unix.stackexchange.com/questions/11638/what-is-the-point-of-the-operator-user The concept of operators origins from the second generation of computers. The operator was responsible for putting the cards on the machine for execution. When the execution was done, the operator would collect the output and the cards and deliver them back to the programmer. During the third generation, when the first UNIXes appeared, ... the user operator on UNIX systems was meant for doing low privileged administrative tasks (replacing tapes, backups, maintenance, etc.). This is the purpose I have always understood and used the operator group for in a variety of different Unix systems during all the years I have been a systems administrator. I have always thought that FreeBSD put high priority and great pride in the security of the system, but this as substantial security hole. I only discovered it by complete accident during the development of our in-house tools when I ran the scripts from my normal user account, which also belongs to the operator group, during testing, expecting to get permission denied errors, only to discover it successfully wiped out and re-wrote the partition table. Luckily I had specified my test device that was not being used on the live running system. I don't know the rationale behind this design decision, and perhaps there are good reasons for it from certain perspectives, but whatever it is, it does not change that fact that it creates a massive security hole in FreeBSD that even the most seasoned systems administrator can easily and unexpectedly fall into. Here are the default permissions for geom.ctl. crw-r----- 1 root operator 0xa Nov 16 11:50 /dev/geom.ctl Here are the default permissions for the devices. crw-r----- 1 root operator 0x53 Nov 16 11:50 /dev/ada0 crw-r----- 1 root operator 0x55 Nov 16 11:50 /dev/ada0p1 ... This is not limited, of course, to the operator group. I can change the group on the drive devices to any other group that I am a member of and even remove read permission for the group on the drives and can still delete the partition table. I have never seen such behaviour in any other Unix environment.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZdE2Hm6y5Fel2etP>