Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152805 - CAN-2004-0813 Incorrect /etc/security/console.perms
Summary: CAN-2004-0813 Incorrect /etc/security/console.perms
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: 1, LEGACY, rh73, rh90
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-10 08:33 UTC by alan
Modified: 2008-05-01 15:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:28:05 UTC
Red Hat 9 and Fedora Core 1 shipped with console.perms granting r/w to /dev/sg
devices for the console user. This allows any console user to physically destroy
hardware as well as to flash compromised firmware and obtain unlimited access to
the system.  In certain situations file systems can be accessed bypassing
security permissions as any user.

Fix: The /dev/sg devices should never be assigned to the user, only to a safe
group. Cdrecord is designed to run setuid or setgid and has been audited for
this kind of use. The fixed security module should remember to depend on the
updated and fixed for setuid cdrecord (see FC2 updates)

Fedora Core 2 and later do not contain this mistake.

------- Additional Comments From 2004-10-10 04:34:10 ----

As a PS: the firmware update is not a hypothetical issue - DVD firmware is
disassembled regularly and hacked for region code removal already.

------- Additional Comments From 2004-10-10 17:55:22 ----

Could you be a bit more specific in what changes exactly you are referring to.
AFAICT console.perms is relatively identical between rh9 and fc2 and cdrecord in
FC2 updates is not setuid...

------- Additional Comments From 2004-10-10 20:38:38 ----

IFAIK FC2 has a kernel 2.6.8 which does not allow sending SCSI commands to
devices by non-root users if they they have write permissions to /dev/sg and, I
think, even when cdrecord is setuid root.
Fedora Core 2 kernel upgrade breaking CD recording

That's why they can have console.perms the same and they're safe.

------- Additional Comments From 2004-10-11 03:49:31 ----

Fedora Core 2 and later don't use /dev/sg for CD burning, but the SG_IO
interface. SG_IO was itself insecure but this was fixed in 2.6.8 and a nice
solution added during 2.6.9 development. Thus FC2 does not hand over access to

The 2.4 kernels have no filtering access functionality, instead they expect CD
burners to be root or setuid root. cdrecord supports this mode of operation.

------- Additional Comments From 2004-10-11 05:26:30 ----

is there anything other than cdwriter and scanner that can be linked to /dev/sg?

if not, does the following patch look sufficient?

diff -uNr ./modules/pam_console/console.perms.orig
--- ./modules/pam_console/console.perms.orig    2004-10-11 11:11:26.000000000 -0400
+++ ./modules/pam_console/console.perms 2004-10-11 11:23:03.000000000 -0400
@@ -24,12 +24,12 @@
 <sound>=/dev/dsp* /dev/audio* /dev/midi* \
        /dev/mixer* /dev/sequencer \
        /dev/sound/* /dev/beep
-<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
+<cdrom>=/dev/cdrom* /dev/cdroms/* /mnt/cdrom*
 <zip>=/mnt/pocketzip* /mnt/zip*
 <ls120>=/dev/ls120 /mnt/ls120*
-<scanner>=/dev/scanner /dev/usb/scanner*
 <camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*

------- Additional Comments From 2004-10-11 10:44:06 ----

Those are the only ones I can think of. There are weird sg users outside of
disks, scanners, cd etc but we don't do permission magic for them.

------- Additional Comments From 2004-10-11 11:59:33 ----

Hash: SHA1
Packages to QA for FC1:
applied above patch
* Mon Oct 11 2004 Rob Myers <> 0.77-16.legacy
- - fix #2146 Incorrect /etc/security/console.perms
Version: GnuPG v1.2.3 (GNU/Linux)

------- Additional Comments From 2004-10-11 12:33:59 ----

In response to comment 7:

Won't we need new cdrdao, cdrtools, dvd+rw-tools and dvdrtools packages all with
the binaries set setuid to go with your new pam packages, or am I missing something?

And won't we break people using scsi scanners?

------- Additional Comments From 2004-10-11 12:52:27 ----

cdrecord supports being run setuid (you need to pick up the security fixes that
went out for FC2/3 but it was always intended to run that way. The others may be
trickier. It is the kind of thing that needs notes with the patch (painful
learing from 2.6.8 when we fixed SG_IO).

------- Additional Comments From 2004-10-12 08:54:49 ----

I agree that we should just remove the console.perms from /dev/sg* and publish
security fixed cdrecord etc. so it is safe to run it suid-root.  I don't think
we should go out of our way to make legacy distros user-friendly if the tradeoff
is less security.  If people want the "proper" fix for this, they should upgrade
to FC2/FC3.  Most of these users would be desktop users anyway, which should be
less of a problem for upgrading, than e.g. servers.

------- Additional Comments From 2004-10-21 06:38:27 ----

here is the redhat bug:

------- Additional Comments From 2004-10-21 10:54:42 ----

Hash: SHA1
Fedora Legacy is committed to patching security vulnerabilities _and_
maintaining compatibility.  This is one of those bugs that following
one principle violates the other.
My view is that patching security vulnerabilities is more important
than maintaining compatibility.  This is my view, and I realize that
others may have different views.
While cdrecord and cdrdao have in the past had exploits[1,2] when they
were run with the suid bit set, such a configuration may be
desirable to maintain compatibility.  To that end, I have rebuilt
the latest cdrtools from FC2.  The admin may enable the suid
bit after installation if desired.
packages to QA for FC1:
* Thu Oct 21 2004 Rob Myers <> - 8:2.01.1-0.FC1.1
- - change version from FC2 to FC1 to test for FL bug #2146
- - rebuild
* Wed Sep 29 2004 Harald Hoyer <> - 8:2.01.1-0.FC2.1
- - erratum for 2.6.8 kernel
2bed792e1c81bc918d1646f830701dccfdb122ea  cdda2wav-2.01.1-0.FC1.1.i386.rpm
577d6efaa35382f407fb67f0727722ee02116c14  cdrecord-2.01.1-0.FC1.1.i386.rpm
520044d14e993f9136177d2ce75e3d412bb362ad  cdrecord-devel-2.01.1-0.FC1.1.i386.rpm
eadfe884996f700199906cb82e5b94e810e4ac36  cdrtools-2.01.1-0.FC1.1.src.rpm
b06409aea57ff5235ed92e52b4070f9fc7b31112  cdrtools-debuginfo-2.01.1-0.FC1.1.i386.rpm
da45c8ac7b09ae0b4c3f6fca05dbe40ec846dd91  mkisofs-2.01.1-0.FC1.1.i386.rpm
Version: GnuPG v1.2.3 (GNU/Linux)

------- Additional Comments From 2004-11-22 09:42:23 ----

Hash: SHA1

I did QA on the FC1 Packages:

eadfe884996f700199906cb82e5b94e810e4ac36  cdrtools-2.01.1-0.FC1.1.src.rpm
9bd7120a3b9f8d2fc21e22f6e70a2b92a35e51ac  pam-0.77-16.legacy.src.rpm

- - cdrtools builds cleanly
- - pam needs pam-devel to build
- - spec files look good
- - patches look good
- - cdrtools identical to FC2 package
- - pam source files the same
- - installs cleanly

- - runs cleanly


Version: GnuPG v1.2.6 (GNU/Linux)


------- Additional Comments From 2005-02-26 01:08:49 ----

This probably applies to RHL73 as well -- at least the patch does?

Cdrtools has been updated, obviating the need to rebuild them EXCEPT if we want
to ship cdrecord etc. setuid or setgid root by default (i.e., not requiring the
user to set them himself).

Two questions:
 - Is it OK to require the users to add setuid root themselves?
 - If we want to fix this, this should be folded back to the other PAM update,
#2010 (I'll add a dependency)

------- Additional Comments From 2005-02-26 06:57:33 ----

Marc in #2010: "I don't think we should fix 2146. It will break too many things
and no other distro seems to have fixed it. I think we should just stick with

FWIW, I'm OK with this approach.  I can live with it either way.  But in any
case, we should make a decision ASAP and either agree to fix this one, or just
close it and move on.

------- Additional Comments From 2005-02-26 08:07:30 ----

We won't be fixing this. If this security issue is important to someone, they
can modify the console.perms themselves or upgrade to a more recent distro.

------- Bug moved to this database by 2005-03-30 18:28 -------

This bug previously known as bug 2146 at
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Note You need to log in before you can comment on or make changes to this bug.