| View previous topic :: View next topic |
| Author |
Message |
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
 Posted: Mon Jul 11, 2005 10:51 am Post subject: |
 |
|
| gimpel wrote: | | apache wrote: | | JLP wrote: | | Yeah I guess this is the bug. Permissions are set to root root here. |
Hmm, permissions are set root:disk here for hdc and hdd (I have 2 dvd devices) and thats what it should be from the view of ide but it would be better, if udev seperates the removeable media from the hard disks and sets the right permissions for the different device types. |
same here! currently using 0.60. seems 10-local.rules gets ignored or something |
If you want, you can fix this by alter the subgroup line (change group to cdrom) above the cdsymlink rules and adding another above the disk devices (with group disk).
Btw. it seems that the .permissions files are ignored too, I tried to fix the dsp issue with some permission rules in 50-udev.permissions but it didn't do that. |
|
| Back to top |
|
 |
gimpel
Advocate
Joined: 15 Oct 2004
Posts: 2720
Location: Munich, Bavaria
|
| Posted: Mon Jul 11, 2005 10:57 am Post subject: |
|
|
| apache wrote: | | gimpel wrote: | | apache wrote: | | JLP wrote: | | Yeah I guess this is the bug. Permissions are set to root root here. |
Hmm, permissions are set root:disk here for hdc and hdd (I have 2 dvd devices) and thats what it should be from the view of ide but it would be better, if udev seperates the removeable media from the hard disks and sets the right permissions for the different device types. |
same here! currently using 0.60. seems 10-local.rules gets ignored or something |
If you want, you can fix this by alter the subgroup line (change group to cdrom) above the cdsymlink rules and adding another above the disk devices (with group disk).
Btw. it seems that the .permissions files are ignored too, I tried to fix the dsp issue with some permission rules in 50-udev.permissions but it didn't do that. |
permissions.d/* is useless since 0.52
i have that in my /etc/udev/rules.d/10-local.rules:
| Quote: | BUS="ide", KERNEL="hdc", GROUP="cdrw", MODE="0660", NAME="%k", SYMLINK="dvd cdroms/cdrom%n"
BUS="ide", KERNEL="hdd", GROUP="cdrw", MODE="0660", NAME="%k", SYMLINK="cdrecorder cdroms/cdrom%n" |
and that worked fine 'till 0.58 
currently my "fix" (lol) is adding a chown root:cdrw on hdc and hdd in local.start  i somehow don't want to set all my disks to cdrw/cdrom group...
i'm sure that it's just some sort of configuration issue... but what, how and where?
_________________
http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Mon Jul 11, 2005 11:03 am Post subject: |
|
|
| gimpel wrote: | | permissions.d/* is useless since 0.52 |
Good to know that by now 
| gimpel wrote: | currently my "fix" (lol) is adding a chown root:cdrw on hdc and hdd in local.start
i'm sure that it's just some sort of configuration issue... but what, how and where? |
*lol* Thats the standard fix for every permissions problem in gentoo  |
|
| Back to top |
|
|
gimpel
Advocate
Joined: 15 Oct 2004
Posts: 2720
Location: Munich, Bavaria
|
| Posted: Mon Jul 11, 2005 11:17 am Post subject: |
|
|
humm, now i edited my /etc/udev/rules.d/10-local.rules to look like that:
| Quote: | BUS="ide", KERNEL="hdc", GROUP="cdrw", MODE="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
BUS="ide", KERNEL="hdd", GROUP="cdrw", MODE="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
|
then for fun chown'ed hdc and hdd to root:disk, and after a udevstart:
| Quote: | $ ls -l /dev/hdc
brw-rw---- 1 root cdrom 22, 0 7. Jul 00:42 /dev/hdc
|
lol, well, at least! good knows why... looks like cdsymlinks.sh has to be called explicitly for the cdrom devices _before_ 50-udev.rules is called and sets them to root:disk or something...
btw: i don't use pam-login, -pam globally, so it shouldn't be pam causing wrong perms. don't want to reboot now, next kernel update will show
_________________
http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
| Back to top |
|
|
manny15
Guru
Joined: 01 Dec 2002
Posts: 473
Location: USA
|
| Posted: Wed Jul 13, 2005 10:20 pm Post subject: |
|
|
Adjusting /etc/udev/rules.d/10-local.rules didn't work for me. Instead...
| Code: |
emerge =sys-fs/udev-060
udevstart
echo "=sys-fs/udev-062" >>/etc/portage/package.mask
|
That'll keep that bastard at bay! Why were the permissions adjusted anyway? I went around in circles trying to figure out why grip had quit working. Developers, please, don't do that. |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Thu Jul 14, 2005 8:47 pm Post subject: |
|
|
| manny15 wrote: |
| Code: |
emerge =sys-fs/udev-060
udevstart
echo "=sys-fs/udev-062" >>/etc/portage/package.mask
|
|
I don't recommend that because of the cdsymlink bug in udev-060, the last really stable version was udev-058. |
|
| Back to top |
|
|
manny15
Guru
Joined: 01 Dec 2002
Posts: 473
Location: USA
|
| Posted: Thu Jul 14, 2005 9:35 pm Post subject: |
|
|
| oh, ok. I used 0.60 because that was the prior version I had, and it worked fine (it seems like it anyway). For some reason, I had a bad feeling when I noticed an update for udev (0.60 -> 0.62). Maybe it's from experience. But that's the sacrifice for living on the edge |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Fri Jul 15, 2005 7:19 am Post subject: |
|
|
| manny15 wrote: | | For some reason, I had a bad feeling when I noticed an update for udev (0.60 -> 0.62). |
Well, 061 was totally broken, they removed it from portage. |
|
| Back to top |
|
|
drphibes
Guru
Joined: 30 Nov 2004
Posts: 432
|
| Posted: Fri Jul 15, 2005 4:08 pm Post subject: |
|
|
| udev-063 is out. claims to fix cdrom permission issue (bug# 98290) and raw1394 issue (bug #98824), possibly others. |
|
| Back to top |
|
|
drphibes
Guru
Joined: 30 Nov 2004
Posts: 432
|
|
| Back to top |
|
|
DumbMan
n00b
Joined: 27 Feb 2004
Posts: 31
|
| Posted: Fri Jul 15, 2005 4:25 pm Post subject: |
|
|
Thanks drphibes,
Here is the post:
| Quote: |
Hi all,
The latest udev-0.63 solved the issue with the "cdrom" group (hdc and hdd are now root:cdrom)
But I wonder, is it normal to have my hard drives (hda and hdb) as root:disk when all partitions on these drives appear as root:root?
Is there any specific need/reason to have partitions and drives in different groups?
| Code: |
ls -l hd*
brw-rw---- 1 root disk 3, 0 Jul 15 12:36 hda
brw-rw---- 1 root root 3, 1 Jul 15 12:36 hda1
brw-rw---- 1 root root 3, 10 Jul 15 12:36 hda10
brw-rw---- 1 root root 3, 11 Jul 15 12:36 hda11
brw-rw---- 1 root root 3, 12 Jul 15 12:36 hda12
brw-rw---- 1 root root 3, 2 Jul 15 12:36 hda2
brw-rw---- 1 root root 3, 3 Jul 15 12:36 hda3
brw-rw---- 1 root root 3, 5 Jul 15 12:36 hda5
brw-rw---- 1 root root 3, 6 Jul 15 12:36 hda6
brw-rw---- 1 root root 3, 7 Jul 15 12:36 hda7
brw-rw---- 1 root root 3, 8 Jul 15 12:36 hda8
brw-rw---- 1 root root 3, 9 Jul 15 12:36 hda9
brw-rw---- 1 root disk 3, 64 Jul 15 12:36 hdb
brw-rw---- 1 root root 3, 65 Jul 15 12:36 hdb1
brw-rw---- 1 root root 3, 66 Jul 15 12:36 hdb2
brw-rw---- 1 root root 3, 69 Jul 15 12:36 hdb5
brw-rw---- 1 root root 3, 70 Jul 15 12:36 hdb6
brw-rw---- 1 root cdrom 22, 0 Jul 15 12:36 hdc
brw-rw---- 1 root cdrom 22, 64 Jul 15 12:36 hdd
|
Any ideas?
|
Dumbman |
|
| Back to top |
|
|
drphibes
Guru
Joined: 30 Nov 2004
Posts: 432
|
| Posted: Fri Jul 15, 2005 5:02 pm Post subject: |
|
|
| it is an interesting observation, that the partition block device gid != main partition gid. my suggestion is to post a bug to https://bugs.gentoo.org/, subject "udev 063 inconsistent gid on hd partitiion devices," copy your ls -l output and let fly. greg will respond very quickly with comments. he's probably watching bugzilla very carefully these days, and he's a principal udev maintainer and a gentoo dev. |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Fri Jul 15, 2005 5:12 pm Post subject: |
|
|
| DumbMan wrote: | Thanks drphibes,
Here is the post:
| Quote: |
Hi all,
The latest udev-0.63 solved the issue with the "cdrom" group (hdc and hdd are now root:cdrom)
But I wonder, is it normal to have my hard drives (hda and hdb) as root:disk when all partitions on these drives appear as root:root?
Is there any specific need/reason to have partitions and drives in different groups?
| Code: |
ls -l hd*
brw-rw---- 1 root disk 3, 0 Jul 15 12:36 hda
brw-rw---- 1 root root 3, 1 Jul 15 12:36 hda1
brw-rw---- 1 root root 3, 10 Jul 15 12:36 hda10
brw-rw---- 1 root root 3, 11 Jul 15 12:36 hda11
brw-rw---- 1 root root 3, 12 Jul 15 12:36 hda12
brw-rw---- 1 root root 3, 2 Jul 15 12:36 hda2
brw-rw---- 1 root root 3, 3 Jul 15 12:36 hda3
brw-rw---- 1 root root 3, 5 Jul 15 12:36 hda5
brw-rw---- 1 root root 3, 6 Jul 15 12:36 hda6
brw-rw---- 1 root root 3, 7 Jul 15 12:36 hda7
brw-rw---- 1 root root 3, 8 Jul 15 12:36 hda8
brw-rw---- 1 root root 3, 9 Jul 15 12:36 hda9
brw-rw---- 1 root disk 3, 64 Jul 15 12:36 hdb
brw-rw---- 1 root root 3, 65 Jul 15 12:36 hdb1
brw-rw---- 1 root root 3, 66 Jul 15 12:36 hdb2
brw-rw---- 1 root root 3, 69 Jul 15 12:36 hdb5
brw-rw---- 1 root root 3, 70 Jul 15 12:36 hdb6
brw-rw---- 1 root cdrom 22, 0 Jul 15 12:36 hdc
brw-rw---- 1 root cdrom 22, 64 Jul 15 12:36 hdd
|
Any ideas?
|
Dumbman |
Oh, I think that's a clever permissions management, better then setting all to root:root. The reason why every partition is root:root is that only root should be able to mount them (just forget etc/fstab at this point). Giving root:disk to the disks theirself seperates them logically from the partitions and gives you the possibility to allow certain users disk operations without granting them root access. |
|
| Back to top |
|
|
DumbMan
n00b
Joined: 27 Feb 2004
Posts: 31
|
| Posted: Fri Jul 15, 2005 6:08 pm Post subject: |
|
|
Well, after taking a closer look at | Quote: | | /etc/udev/scripts/ide-devfs.sh |
and | Quote: | | /etc/udev/rules.d/50-udev.rules |
it turns out that the group distiction drive-partition is made on purpose.
A special check is made to distinguish between drives and partitions, so I don't think it's a bug.
But I still can't see the advantage of having separate groups for drives and partitions. I mean, if I'm part of the "disk" group, and hence I can access hda, what would be the operations that I could not do to hda partitions?
apache, can you please give some examples? (sorry, I'm still a noob  ) |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Fri Jul 15, 2005 6:54 pm Post subject: |
|
|
| DumbMan wrote: | But I still can't see the advantage of having separate groups for drives and partitions. I mean, if I'm part of the "disk" group, and hence I can access hda, what would be the operations that I could not do to hda partitions?
apache, can you please give some examples? (sorry, I'm still a noob ) |
In your case there is no advantage but also no disadvantage but there are some cases where it could help. For example, I administrate some servers with shared drives (and some other applications) for currently 350 users and over night there is a cron job doing backup and maintenance operations and there I'm using that kind of permissions. |
|
| Back to top |
|
|
DumbMan
n00b
Joined: 27 Feb 2004
Posts: 31
|
| Posted: Fri Jul 15, 2005 8:43 pm Post subject: |
|
|
Thanks apache, I get the idea now.
That's why I istalled Gentoo anyway, I'm learning every day
Dumbman |
|
| Back to top |
|
|
Matteo Azzali
Retired Dev
Joined: 23 Sep 2004
Posts: 1133
|
| Posted: Sat Jul 16, 2005 11:07 pm Post subject: |
|
|
| Headrush wrote: | | Lawless wrote: | From the changelog
| Code: |
01 Jul 2005; Greg Kroah-Hartman <gregkh@gentoo.org> +udev-059.ebuild:
059 release
Note this is _very_ experimental still. Not quite sure if /etc/dev.d/
rules still run properly, but booting should still work just fine (as
long as your boot partitions aren't under some crazy-whack rule...)
|
 |
Another case of people being ~x86 emerge happy without reading the changelog. |
Lol, I'm the last and only one to have old ~x86 system-wide Keyword (in make.conf)?
However, wish that all packages got bugfixed and released as fast as udev,
got 063 and is working fine.
_________________
Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/ |
|
| Back to top |
|
|
Gergan Penkov
Veteran
Joined: 17 Jul 2004
Posts: 1464
Location: das kleinste Kuhdorf Deutschlands :)
|
| Posted: Sun Jul 17, 2005 10:07 pm Post subject: |
|
|
A have a simple question, is it possible for someone in group disk, if the whole discs are with root:disk permission, to get a raw access for it and overwrite for example the partition table?
_________________
"I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Mon Jul 18, 2005 5:30 am Post subject: |
|
|
| Gergan Penkov wrote: | | A have a simple question, is it possible for someone in group disk, if the whole discs are with root:disk permission, to get a raw access for it and overwrite for example the partition table? |
I never tried this but I think it must be possible. I will make a test with an old disk this evening. |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Tue Jul 19, 2005 5:13 pm Post subject: |
|
|
Ok, here is the answer to your question:
I didn't try to alter the disks but there is something more worrying. While it's not possible to run cat /dev/hda1 > /home/foobar/out.txt as normal user, a member of the disk group can just run cat /dev/hda > /home/foobar/out.txt .
I don't think that it's very difficult to extract what ever you want out of the outcoming file: passwords, whole files, ... The only think you will need is some knowledgement of file systems and a good program doing the rest *g*
Or with other words, members of group disk have access to the hole disk. |
|
| Back to top |
|
|
Gergan Penkov
Veteran
Joined: 17 Jul 2004
Posts: 1464
Location: das kleinste Kuhdorf Deutschlands :)
|
| Posted: Sun Jul 24, 2005 1:28 am Post subject: |
|
|
I would say we must file a security-bug for this, because normally a user would receive disc group only if for example he should be able to write do cdroms or sth like this, but writing to the base hard-disc is to stay root-prerogative for the time being (at least as a default rule).
_________________
"I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
| Back to top |
|
|
drphibes
Guru
Joined: 30 Nov 2004
Posts: 432
|
| Posted: Sun Jul 24, 2005 1:47 am Post subject: |
|
|
yeah i have to agree. ordinary users with group disk should not be able to do things like this: | Code: | | dd if=/dev/zero of=/dev/hda |
and zero out the whole disk. |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
| Posted: Sun Jul 24, 2005 12:51 pm Post subject: |
|
|
| Is there already a report about that or should I open a new one (just want to prevent duplicates)? |
|
| Back to top |
|
|
Gergan Penkov
Veteran
Joined: 17 Jul 2004
Posts: 1464
Location: das kleinste Kuhdorf Deutschlands :)
|
| Posted: Sun Jul 24, 2005 1:05 pm Post subject: |
|
|
apache I think, you could open it, because you have tested it. Probably, you must wait for drphibes to affirm, that he has not filed a bug-report for this issue or simply search the bugzilla.
_________________
"I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
| Back to top |
|
|
apache
n00b
Joined: 20 Jul 2004
Posts: 60
Location: Austria
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
