[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [PATCH] umask(077) as a workaround for security vuln [mdev]
From: Piotr Karbowski <piotr.karbowski () gmail ! com>
Date: 2012-12-21 15:09:32
Message-ID: 50D47BAC.1030805 () gmail ! com
[Download RAW message or body]
On 12/18/2012 10:41 AM, Piotr Karbowski wrote:
> On 12/18/2012 10:11 AM, Piotr Karbowski wrote:
>> Hi,
>>
>> For some reason when i do move /dev/msr[0-9]+ nodes to /dev/cpu the
>> /dev/cpu is getting 777 permissions. The very rule that affect it:
>>
>> msr([0-9]+) root:root 600 =cpu/%1/msr
>>
>> Testcase:
>>
>> ### mdev.conf without msr:
>> microcode root:root 600 =cpu/
>> cpu([0-9]+) root:root 600 =cpu/%1/cpuid
>>
>> # rm /dev/cpu -rf; mdev -s; ls -ld /dev/cpu
>> drwxr-xr-x 6 root root 140 Dec 18 10:07 /dev/cpu/
>>
>> Good so far.
>>
>> ### mdev.conf with msr:
>> microcode root:root 600 =cpu/
>> cpu([0-9]+) root:root 600 =cpu/%1/cpuid
>> msr([0-9]+) root:root 600 =cpu/%1/msr
>>
>> # rm /dev/cpu -rf; mdev -s; ls -ld /dev/cpu
>> drwxrwxrwx 6 root root 140 Dec 18 10:08 /dev/cpu/
>>
>> And the /dev/cpu is 777, whatever is the order of msr, or even with
>> there is only rule for msr, the /dev/cpu become 777, the /dev/cpu/0/ is
>> 755 as it should be.
>>
>> Busybox mdev 1.20.2
>
> A bit more debuging, the rule:
>
> msr0 root:root 600 =cpu/msr0
>
> Does work, but if I add / at the end, like:
>
> msr0 root:root 600 =cpu/msr0/msr
>
> it does alter /dev/cpu permissions.
Poor and wrong by design but gets the job done.
From a5f05ba5c03cd8b6d1e384b25a28013619329b48 Mon Sep 17 00:00:00 2001
From: Piotr Karbowski <piotr.karbowski@gmail.com>
Date: Fri, 21 Dec 2012 15:54:07 +0100
Subject: [PATCH] umask(077) as a workaround for security vuln.
Mdev seems to alter permissions of created dirs. Example:
microcode root:root 600 =cpu/
cpu([0-9]+) root:root 600 =cpu/%1/cpuid
msr([0-9]+) root:root 600 =cpu/%1/msr
will make /dev/cpu a world-writtable dir.
---
util-linux/mdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util-linux/mdev.c b/util-linux/mdev.c
index 79871d3..b85e2d7 100644
--- a/util-linux/mdev.c
+++ b/util-linux/mdev.c
@@ -823,7 +823,7 @@ int mdev_main(int argc UNUSED_PARAM, char **argv)
bb_sanitize_stdio();
/* Force the configuration file settings exactly */
- umask(0);
+ umask(077);
xchdir("/dev");
--
1.8.0.2
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic