possible security problem with weak perms on /dev/fd[01] in suse 6.3 distro
Hi. I thought I would notify you of my findings on a possible security problem within suse 6.3. Below is an excerpt about /dev/fd[01] permissions that I wrote a few days ago. I'm not sure if this has been noticed before. If not, I hope the information does you some good. I'd appreciate any responses on the matter that you can give, thanks :). [cut] Out of the box, SuSE 6.3 allows global rw access on the primary and secondary floppy drive (/dev/fd0 and /dev/fd1). Because devices can be written to directly, just like anything else, the floppy drives do not need to be mounted for any user to write data to a disk that has been left in the drive. Depending on the systems setup, this can be a very malicious tool. If the system boots SuSE directly from a floppy disk, chances are the disk is left in the drive while the system is up. If a user were to log on, and decide to use 'dd' (amongst a variety of other tools, or even just a 'cat FILE > /dev/fd0') the boot floppy would be ruined. A lazy sysadmin who didn't check the logs would not see that the bootdisk had been ruined, and upon reboot, may find himself with a dead box until the disk can be replaced. This is just one scenario where the weak perms on the devices can be dangerous. I just recently noticed this after installing SuSE 6.3 on one of my systems over a month ago. The permissions on /dev/fd[01] have been checked on several SuSE 6.3 systems and all check out as o+rw. If you are running SuSE 6.3 and have users other than yourself logging in, your best bet is to 'chmod o-rw /dev/fd0'. I cannot think of one good reason why SuSE would have set permissions on /dev/fd[01] so weak. If you can give any suggestions or feedback, an e-mail would be appreciated. -- Bryan Hughes init@crashdot.org
techno@crosslink.net wrote:
Hi. I thought I would notify you of my findings on a possible security problem within suse 6.3. Below is an excerpt about /dev/fd[01] permissions that I wrote a few days ago. I'm not sure if this has been noticed before. If not, I hope the information does you some good. I'd appreciate any responses on the matter that you can give, thanks :).
[cut]
Out of the box, SuSE 6.3 allows global rw access on the primary and secondary floppy drive (/dev/fd0 and /dev/fd1). Because devices can be written to directly, just like anything else, the floppy drives do not need to be mounted for any user to write data to a disk that has been left in the drive. Depending on the systems setup, this can be a very malicious tool. If the system boots SuSE directly from a floppy disk, chances are the disk is left in the drive while the system is up. If a user were to log on, and decide to use 'dd' (amongst a variety of other tools, or even just a 'cat FILE > /dev/fd0') the boot floppy would be ruined. A lazy sysadmin who didn't check the logs would not see that the bootdisk had been ruined, and upon reboot, may find himself with a dead box until the disk can be replaced. This is just one scenario where the weak perms on the devices can be dangerous.
I just recently noticed this after installing SuSE 6.3 on one of my systems over a month ago. The permissions on /dev/fd[01] have been checked on several SuSE 6.3 systems and all check out as o+rw. If you are running SuSE 6.3 and have users other than yourself logging in, your best bet is to 'chmod o-rw /dev/fd0'. I cannot think of one good reason why SuSE would have set permissions on /dev/fd[01] so weak. If you can give any suggestions or feedback, an e-mail would be appreciated.
-- Bryan Hughes init@crashdot.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
There's always the "write-protect" tab on the diskette though. Les Catterall --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
techno@crosslink.net wrote:
Out of the box, SuSE 6.3 allows global rw access on the primary and secondary floppy drive (/dev/fd0 and /dev/fd1). Because devices can be written to directly, just like anything else, the floppy drives do not need to be mounted for any user to write data to a disk that has been left in the drive. Depending on the systems setup, this can be a very malicious tool. If the system boots SuSE directly from a floppy disk, chances are the disk is left in the drive while the system is up. If a user were to log on, and decide to use 'dd' (amongst a variety of other tools, or even just a 'cat FILE > /dev/fd0') the boot floppy would be ruined. A lazy sysadmin who didn't check the logs would not see that the bootdisk had been ruined, and upon reboot, may find himself with a dead box until the disk can be replaced. This is just one scenario where the weak perms on the devices can be dangerous.
The permissions on SuSE 6.1 are : brw-rw-rw- 1 root disk 2, 0 Apr 15 1999 /dev/fd0 brw-rw-rw- 1 root disk 2, 1 Apr 15 1999 /dev/fd1 And on SuSE 6.3 : brw-rw---- 1 root disk 2, 0 Nov 15 1999 /dev/fd0 brw-rw---- 1 root disk 2, 1 Nov 15 1999 /dev/fd1 If a system administrator wants to boot a system from floppy disk he would make the floppy disk read-only, isn't it ? However, you are indeed correct that a lazy sysadmin would ruin his system, anyway ;-). Regards, Fred Mobach fred at mobach.nl
Hi,
Hi. I thought I would notify you of my findings on a possible security problem within suse 6.3. Below is an excerpt about /dev/fd[01] permissions that I wrote a few days ago. I'm not sure if this has been noticed before. If not, I hope the information does you some good. I'd appreciate any responses on the matter that you can give, thanks :).
Old news. :) approx. 1 year ago, i checked the whole /dev tree to make the permissions as secure as posible. The result of my work results in some entries in /etc/permissions.* . Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (4)
-
Fred Mobach
-
Les Catterall
-
techno@crosslink.net
-
Thomas Biege