View previous topic :: View next topic |
Author |
Message |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Mon Jul 11, 2005 10:51 am Post subject: |
|
|
gimpel wrote: | apache wrote: | JLP wrote: | Yeah I guess this is the bug. Permissions are set to root root here. |
Hmm, permissions are set root:disk here for hdc and hdd (I have 2 dvd devices) and thats what it should be from the view of ide but it would be better, if udev seperates the removeable media from the hard disks and sets the right permissions for the different device types. |
same here! currently using 0.60. seems 10-local.rules gets ignored or something |
If you want, you can fix this by alter the subgroup line (change group to cdrom) above the cdsymlink rules and adding another above the disk devices (with group disk).
Btw. it seems that the .permissions files are ignored too, I tried to fix the dsp issue with some permission rules in 50-udev.permissions but it didn't do that. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
gimpel Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/129086950243c7024511c31.jpg)
Joined: 15 Oct 2004 Posts: 2720 Location: Munich, Bavaria
|
Posted: Mon Jul 11, 2005 10:57 am Post subject: |
|
|
apache wrote: | gimpel wrote: | apache wrote: | JLP wrote: | Yeah I guess this is the bug. Permissions are set to root root here. |
Hmm, permissions are set root:disk here for hdc and hdd (I have 2 dvd devices) and thats what it should be from the view of ide but it would be better, if udev seperates the removeable media from the hard disks and sets the right permissions for the different device types. |
same here! currently using 0.60. seems 10-local.rules gets ignored or something |
If you want, you can fix this by alter the subgroup line (change group to cdrom) above the cdsymlink rules and adding another above the disk devices (with group disk).
Btw. it seems that the .permissions files are ignored too, I tried to fix the dsp issue with some permission rules in 50-udev.permissions but it didn't do that. |
permissions.d/* is useless since 0.52
i have that in my /etc/udev/rules.d/10-local.rules:
Quote: | BUS="ide", KERNEL="hdc", GROUP="cdrw", MODE="0660", NAME="%k", SYMLINK="dvd cdroms/cdrom%n"
BUS="ide", KERNEL="hdd", GROUP="cdrw", MODE="0660", NAME="%k", SYMLINK="cdrecorder cdroms/cdrom%n" |
and that worked fine 'till 0.58
currently my "fix" (lol) is adding a chown root:cdrw on hdc and hdd in local.start i somehow don't want to set all my disks to cdrw/cdrom group...
i'm sure that it's just some sort of configuration issue... but what, how and where? _________________ http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Mon Jul 11, 2005 11:03 am Post subject: |
|
|
gimpel wrote: | permissions.d/* is useless since 0.52 |
Good to know that by now
gimpel wrote: | currently my "fix" (lol) is adding a chown root:cdrw on hdc and hdd in local.start
i'm sure that it's just some sort of configuration issue... but what, how and where? |
*lol* Thats the standard fix for every permissions problem in gentoo ![Smile :-)](images/smiles/icon_smile.gif) |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
gimpel Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/129086950243c7024511c31.jpg)
Joined: 15 Oct 2004 Posts: 2720 Location: Munich, Bavaria
|
Posted: Mon Jul 11, 2005 11:17 am Post subject: |
|
|
humm, now i edited my /etc/udev/rules.d/10-local.rules to look like that:
Quote: | BUS="ide", KERNEL="hdc", GROUP="cdrw", MODE="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
BUS="ide", KERNEL="hdd", GROUP="cdrw", MODE="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
|
then for fun chown'ed hdc and hdd to root:disk, and after a udevstart:
Quote: | $ ls -l /dev/hdc
brw-rw---- 1 root cdrom 22, 0 7. Jul 00:42 /dev/hdc
|
lol, well, at least! good knows why... looks like cdsymlinks.sh has to be called explicitly for the cdrom devices _before_ 50-udev.rules is called and sets them to root:disk or something...
btw: i don't use pam-login, -pam globally, so it shouldn't be pam causing wrong perms. don't want to reboot now, next kernel update will show ![Razz :P](images/smiles/icon_razz.gif) _________________ http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
manny15 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Mortal Kombat/Mortal_Kombat_-_Cyrax.gif)
Joined: 01 Dec 2002 Posts: 473 Location: USA
|
Posted: Wed Jul 13, 2005 10:20 pm Post subject: |
|
|
Adjusting /etc/udev/rules.d/10-local.rules didn't work for me. Instead...
Code: |
emerge =sys-fs/udev-060
udevstart
echo "=sys-fs/udev-062" >>/etc/portage/package.mask
|
That'll keep that bastard at bay! Why were the permissions adjusted anyway? I went around in circles trying to figure out why grip had quit working. Developers, please, don't do that. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Thu Jul 14, 2005 8:47 pm Post subject: |
|
|
manny15 wrote: |
Code: |
emerge =sys-fs/udev-060
udevstart
echo "=sys-fs/udev-062" >>/etc/portage/package.mask
|
|
I don't recommend that because of the cdsymlink bug in udev-060, the last really stable version was udev-058. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
manny15 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Mortal Kombat/Mortal_Kombat_-_Cyrax.gif)
Joined: 01 Dec 2002 Posts: 473 Location: USA
|
Posted: Thu Jul 14, 2005 9:35 pm Post subject: |
|
|
oh, ok. I used 0.60 because that was the prior version I had, and it worked fine (it seems like it anyway). For some reason, I had a bad feeling when I noticed an update for udev (0.60 -> 0.62). Maybe it's from experience. But that's the sacrifice for living on the edge ![Smile :)](images/smiles/icon_smile.gif) |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Fri Jul 15, 2005 7:19 am Post subject: |
|
|
manny15 wrote: | For some reason, I had a bad feeling when I noticed an update for udev (0.60 -> 0.62). |
Well, 061 was totally broken, they removed it from portage. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Fri Jul 15, 2005 4:08 pm Post subject: |
|
|
udev-063 is out. claims to fix cdrom permission issue (bug# 98290) and raw1394 issue (bug #98824), possibly others. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
DumbMan n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 27 Feb 2004 Posts: 31
|
Posted: Fri Jul 15, 2005 4:25 pm Post subject: |
|
|
Thanks drphibes,
Here is the post:
Quote: |
Hi all,
The latest udev-0.63 solved the issue with the "cdrom" group (hdc and hdd are now root:cdrom)
But I wonder, is it normal to have my hard drives (hda and hdb) as root:disk when all partitions on these drives appear as root:root?
Is there any specific need/reason to have partitions and drives in different groups?
Code: |
ls -l hd*
brw-rw---- 1 root disk 3, 0 Jul 15 12:36 hda
brw-rw---- 1 root root 3, 1 Jul 15 12:36 hda1
brw-rw---- 1 root root 3, 10 Jul 15 12:36 hda10
brw-rw---- 1 root root 3, 11 Jul 15 12:36 hda11
brw-rw---- 1 root root 3, 12 Jul 15 12:36 hda12
brw-rw---- 1 root root 3, 2 Jul 15 12:36 hda2
brw-rw---- 1 root root 3, 3 Jul 15 12:36 hda3
brw-rw---- 1 root root 3, 5 Jul 15 12:36 hda5
brw-rw---- 1 root root 3, 6 Jul 15 12:36 hda6
brw-rw---- 1 root root 3, 7 Jul 15 12:36 hda7
brw-rw---- 1 root root 3, 8 Jul 15 12:36 hda8
brw-rw---- 1 root root 3, 9 Jul 15 12:36 hda9
brw-rw---- 1 root disk 3, 64 Jul 15 12:36 hdb
brw-rw---- 1 root root 3, 65 Jul 15 12:36 hdb1
brw-rw---- 1 root root 3, 66 Jul 15 12:36 hdb2
brw-rw---- 1 root root 3, 69 Jul 15 12:36 hdb5
brw-rw---- 1 root root 3, 70 Jul 15 12:36 hdb6
brw-rw---- 1 root cdrom 22, 0 Jul 15 12:36 hdc
brw-rw---- 1 root cdrom 22, 64 Jul 15 12:36 hdd
|
Any ideas?
|
Dumbman |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Fri Jul 15, 2005 5:02 pm Post subject: |
|
|
it is an interesting observation, that the partition block device gid != main partition gid. my suggestion is to post a bug to https://bugs.gentoo.org/, subject "udev 063 inconsistent gid on hd partitiion devices," copy your ls -l output and let fly. greg will respond very quickly with comments. he's probably watching bugzilla very carefully these days, and he's a principal udev maintainer and a gentoo dev. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Fri Jul 15, 2005 5:12 pm Post subject: |
|
|
DumbMan wrote: | Thanks drphibes,
Here is the post:
Quote: |
Hi all,
The latest udev-0.63 solved the issue with the "cdrom" group (hdc and hdd are now root:cdrom)
But I wonder, is it normal to have my hard drives (hda and hdb) as root:disk when all partitions on these drives appear as root:root?
Is there any specific need/reason to have partitions and drives in different groups?
Code: |
ls -l hd*
brw-rw---- 1 root disk 3, 0 Jul 15 12:36 hda
brw-rw---- 1 root root 3, 1 Jul 15 12:36 hda1
brw-rw---- 1 root root 3, 10 Jul 15 12:36 hda10
brw-rw---- 1 root root 3, 11 Jul 15 12:36 hda11
brw-rw---- 1 root root 3, 12 Jul 15 12:36 hda12
brw-rw---- 1 root root 3, 2 Jul 15 12:36 hda2
brw-rw---- 1 root root 3, 3 Jul 15 12:36 hda3
brw-rw---- 1 root root 3, 5 Jul 15 12:36 hda5
brw-rw---- 1 root root 3, 6 Jul 15 12:36 hda6
brw-rw---- 1 root root 3, 7 Jul 15 12:36 hda7
brw-rw---- 1 root root 3, 8 Jul 15 12:36 hda8
brw-rw---- 1 root root 3, 9 Jul 15 12:36 hda9
brw-rw---- 1 root disk 3, 64 Jul 15 12:36 hdb
brw-rw---- 1 root root 3, 65 Jul 15 12:36 hdb1
brw-rw---- 1 root root 3, 66 Jul 15 12:36 hdb2
brw-rw---- 1 root root 3, 69 Jul 15 12:36 hdb5
brw-rw---- 1 root root 3, 70 Jul 15 12:36 hdb6
brw-rw---- 1 root cdrom 22, 0 Jul 15 12:36 hdc
brw-rw---- 1 root cdrom 22, 64 Jul 15 12:36 hdd
|
Any ideas?
|
Dumbman |
Oh, I think that's a clever permissions management, better then setting all to root:root. The reason why every partition is root:root is that only root should be able to mount them (just forget etc/fstab at this point). Giving root:disk to the disks theirself seperates them logically from the partitions and gives you the possibility to allow certain users disk operations without granting them root access. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
DumbMan n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 27 Feb 2004 Posts: 31
|
Posted: Fri Jul 15, 2005 6:08 pm Post subject: |
|
|
Well, after taking a closer look at Quote: | /etc/udev/scripts/ide-devfs.sh | and Quote: | /etc/udev/rules.d/50-udev.rules | it turns out that the group distiction drive-partition is made on purpose.
A special check is made to distinguish between drives and partitions, so I don't think it's a bug.
But I still can't see the advantage of having separate groups for drives and partitions. I mean, if I'm part of the "disk" group, and hence I can access hda, what would be the operations that I could not do to hda partitions?
apache, can you please give some examples? (sorry, I'm still a noob ) |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Fri Jul 15, 2005 6:54 pm Post subject: |
|
|
DumbMan wrote: | But I still can't see the advantage of having separate groups for drives and partitions. I mean, if I'm part of the "disk" group, and hence I can access hda, what would be the operations that I could not do to hda partitions?
apache, can you please give some examples? (sorry, I'm still a noob ) |
In your case there is no advantage but also no disadvantage but there are some cases where it could help. For example, I administrate some servers with shared drives (and some other applications) for currently 350 users and over night there is a cron job doing backup and maintenance operations and there I'm using that kind of permissions. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
DumbMan n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 27 Feb 2004 Posts: 31
|
Posted: Fri Jul 15, 2005 8:43 pm Post subject: |
|
|
Thanks apache, I get the idea now.
That's why I istalled Gentoo anyway, I'm learning every day
Dumbman |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Matteo Azzali Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
![](images/avatars/193522878042cea23c45a3a.jpg)
Joined: 23 Sep 2004 Posts: 1133
|
Posted: Sat Jul 16, 2005 11:07 pm Post subject: |
|
|
Headrush wrote: | Lawless wrote: | From the changelog
Code: |
01 Jul 2005; Greg Kroah-Hartman <gregkh@gentoo.org> +udev-059.ebuild:
059 release
Note this is _very_ experimental still. Not quite sure if /etc/dev.d/
rules still run properly, but booting should still work just fine (as
long as your boot partitions aren't under some crazy-whack rule...)
|
![Mad :x](images/smiles/icon_mad.gif) |
Another case of people being ~x86 emerge happy without reading the changelog. |
Lol, I'm the last and only one to have old ~x86 system-wide Keyword (in make.conf)?
However, wish that all packages got bugfixed and released as fast as udev,
got 063 and is working fine. _________________ Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/ |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Gergan Penkov Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
![](images/avatars/210657101844dcb58191253.gif)
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun Jul 17, 2005 10:07 pm Post subject: |
|
|
A have a simple question, is it possible for someone in group disk, if the whole discs are with root:disk permission, to get a raw access for it and overwrite for example the partition table? _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Mon Jul 18, 2005 5:30 am Post subject: |
|
|
Gergan Penkov wrote: | A have a simple question, is it possible for someone in group disk, if the whole discs are with root:disk permission, to get a raw access for it and overwrite for example the partition table? |
I never tried this but I think it must be possible. I will make a test with an old disk this evening. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Tue Jul 19, 2005 5:13 pm Post subject: |
|
|
Ok, here is the answer to your question:
I didn't try to alter the disks but there is something more worrying. While it's not possible to run cat /dev/hda1 > /home/foobar/out.txt as normal user, a member of the disk group can just run cat /dev/hda > /home/foobar/out.txt .
I don't think that it's very difficult to extract what ever you want out of the outcoming file: passwords, whole files, ... The only think you will need is some knowledgement of file systems and a good program doing the rest *g*
Or with other words, members of group disk have access to the hole disk. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Gergan Penkov Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
![](images/avatars/210657101844dcb58191253.gif)
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun Jul 24, 2005 1:28 am Post subject: |
|
|
I would say we must file a security-bug for this, because normally a user would receive disc group only if for example he should be able to write do cdroms or sth like this, but writing to the base hard-disc is to stay root-prerogative for the time being (at least as a default rule). _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Sun Jul 24, 2005 1:47 am Post subject: |
|
|
yeah i have to agree. ordinary users with group disk should not be able to do things like this: Code: | dd if=/dev/zero of=/dev/hda | and zero out the whole disk. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Sun Jul 24, 2005 12:51 pm Post subject: |
|
|
Is there already a report about that or should I open a new one (just want to prevent duplicates)? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Gergan Penkov Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
![](images/avatars/210657101844dcb58191253.gif)
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun Jul 24, 2005 1:05 pm Post subject: |
|
|
apache I think, you could open it, because you have tested it. Probably, you must wait for drphibes to affirm, that he has not filed a bug-report for this issue or simply search the bugzilla. _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|