| 1 |
Matthias Schwarzott <zzam@g.o> posted |
| 2 |
200709051138.53143.zzam@g.o, excerpted below, on Wed, 05 Sep 2007 |
| 3 |
11:38:52 +0200: |
| 4 |
|
| 5 |
> On Mittwoch, 5. September 2007, Rémi Cardona wrote: |
| 6 |
>> Maybe some of those groups could be merged (cdrom, cdrw) or dropped |
| 7 |
>> (tape maybe?) |
| 8 |
>> |
| 9 |
> I guess this is ok, as for normal burning cdrom for now does grant all |
| 10 |
> permissions. |
| 11 |
> Only questionable thing is: Isn't a user with write permission to cdroms |
| 12 |
> able to modify firmware ... ? |
| 13 |
|
| 14 |
There is... or used to be anyway... additional security implications |
| 15 |
here. udev is close enough to the kernel that perhaps you know all about |
| 16 |
the below and are already considering whatever implications remain in |
| 17 |
current kernels, but if not, getting kernel and/or security involved in |
| 18 |
this may be useful. I don't know what current status is on this, thus |
| 19 |
the suggestion to involve security/kernel, but: |
| 20 |
|
| 21 |
2.6.8 and CD recording (LWN.net, 2004, Aug 18) |
| 22 |
http://lwn.net/Articles/98379/ |
| 23 |
|
| 24 |
SCSI command filtering (LWN.net, 2006, July 31) |
| 25 |
http://lwn.net/Articles/193516/ |
| 26 |
|
| 27 |
The gist of which is that under certain circumstances, users with CD/DVD |
| 28 |
write permissions may be able to scramble other SCSI devices as well. |
| 29 |
With libata SCSI emulated SATA and PATA, that's potentially any hard |
| 30 |
drive on a modern system. Shades of malware that holds your data for |
| 31 |
ransom ("Wire me $1000 and I'll email you the unlock password."), anyone? |
| 32 |
|
| 33 |
-- |
| 34 |
Duncan - List replies preferred. No HTML msgs. |
| 35 |
"Every nonfree program has a lord, a master -- |
| 36 |
and if you use the program, he is your master." Richard Stallman |
| 37 |
|
| 38 |
-- |
| 39 |
gentoo-dev@g.o mailing list |
Archives