/usr/local/sbin/eject is installed setuid to root by default and the -f (force) option can be used by ANY user to unmount virtually any partition in /dev that he/she didn't mount. NOTES: + 1.- The most sensible way to do this would be to call /sbin/umount directly after dropping privileges or import its functionality and/or check both the MNT_USER flag in struct statfs's f_flags and f_owner and the real user ID. All of this is too much overkill for a program that essentially performs the same function that commands such as cdcontrol(8) and camcontrol(8) already do for ATAPI & ATAPI-CAM/SCSI CD-ROMS respectively, without root privileges and better... with /etc/devfs.conf providing enough flexibility and being well documented in the handbook. + 2.- This program seems to me to be to have been coded with absolutely no security in mind at all as if the "BINMODE= 4555" line in the Makefile was added later. It doesn't check the return value of some functions (the call to strdup() for example), no use of "const char *", uninitialized integers (e.g, "sts"), etc. Check also and line 145 of eject.c . The output of "gcc -Wall" (after the system's patches have been applied) is: $ gcc -Wall eject.c eject.c:63: warning: return type defaults to `int' eject.c: In function `check_device': eject.c:145: warning: char format, pointer arg (arg 3) eject.c: In function `unmount_fs': eject.c:192: warning: left-hand operand of comma expression has no effect + 3.- It happens independently of the value of vfs.usermount. (This is expected behavior anyway). + 4.- A shell script of mine is available to anyone upon request that extends the functionality of eject(1) that adds a -t option to close the CD tray that was never implemented by judging at CVS logs. It could be extended to use camcontrol so "camcontrol eject -n cd -u 0 -v" is analogous to "cdcontrol -f /dev/acd0 eject" to manage /dev/cdX devices. + 5.- A few months back, when the ext2fs wasn't as stable as it is today, I could have panicked my system with the Poc above. + 6. I just hope no problem arises from this advisory so no karma will ever reach me. =) Fix: Attached patch available (copy it to /usr/ports/sysutils/eject/files/ as patch-Makefile and reinstall) or simply run: chmod -s /usr/local/sbin/eject Patch attached with submission follows: How-To-Repeat: $ /bin/ls -lo /usr/local/sbin/eject -r-sr-xr-x 1 root wheel - 5872 Jun 26 2006 /usr/local/sbin/eject $ id uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network) $ /sbin/mount | grep ad3s7 /dev/ad3s7 on /mnt/linux/var (ext2fs, local, noatime, nosuid, read-only) $ /usr/local/sbin/eject -vf /dev/ad3s7 eject: using device eject: /dev/ad3s7 mounted on /mnt/linux/var eject: force unmounting /mnt/linux/var eject: ejecting media from /dev/ad3s7 eject: Inappropriate ioctl for device $ /sbin/mount -v | grep ad3s7
simon 2007-05-31 12:17:06 UTC FreeBSD ports repository Modified files: sysutils/eject Makefile Log: For now mark FORBIDDEN since it's setuid root and has security issues. This should probably be handled as mentioned in the PR, but I don't have time to look more into this right now. PR: ports/112754 Prodded by: Ighighi<ighighi@gmail.com> Revision Changes Path 1.12 +2 -0 ports/sysutils/eject/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Besides the change suggested by the reporter, I would also recommend the following pkg-message: NOTE: This port is no longer installed with SETUID, because it allows non-privileged users to unmount a filesystem. To enable your users to eject the CD-ROM, install security/sudo and enter the following line in /usr/local/etc/sudoers: %users ALL=/usr/local/sbin/eject /dev/acd0
The setuid bit isn't necessary... It's documented in the handbook how to setup /etc/devfs.conf. Most people use the "operator" group for this but you may as well create "media" $ grep acd0 /etc/devfs.conf link acd0 cdrom own acd0 root:media perm acd0 0660 So, if "cdcontrol -f /dev/acd0 eject" works, there's no need at all for setuid eject(8). IMO, it's bad practice to abuse such bits when permissions suffice. On 7/18/07, Cristian KLEIN <cristi@net.utcluj.ro> wrote: > Besides the change suggested by the reporter, I would also recommend the > following pkg-message: > > NOTE: This port is no longer installed with SETUID, because it allows > non-privileged users to unmount a filesystem. To enable your users to > eject the CD-ROM, install security/sudo and enter the following line in > /usr/local/etc/sudoers: > > %users ALL=/usr/local/sbin/eject /dev/acd0 > >
sem 2007-08-04 09:33:17 UTC FreeBSD ports repository Modified files: sysutils/eject Makefile Added files: sysutils/eject pkg-message sysutils/eject/files patch-Makefile Log: - Remove FORBIDDEN - Add a patch to prevent install suid executable and message about it. PR: ports/112754 Submitted by: Ighighi <ighighi@gmail.com>, Cristian KLEIN <cristi@net.utcluj.ro> Revision Changes Path 1.13 +2 -3 ports/sysutils/eject/Makefile 1.1 +11 -0 ports/sysutils/eject/files/patch-Makefile (new) 1.1 +8 -0 ports/sysutils/eject/pkg-message (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!