Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155354 - 20050313 SCSI tape security
Summary: 20050313 SCSI tape security
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tom Coughlan
QA Contact: Brian Brock
URL: http://www.mail-archive.com/linux-scs...
Whiteboard:
Depends On:
Blocks: 156322
TreeView+ depends on / blocked
 
Reported: 2005-04-19 14:26 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-05 13:01:55 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 04:00:00 UTC

Description Mark J. Cox 2005-04-19 14:26:29 UTC
See URL for full details.  "Any user who has been granted permissions to access
a SCSI tape device can send some commands, which may cause it to become unusable
for other users."

Fix:
http://linux.bkbits.net:8080/linux-2.6/cset@42373cf23YEvgue3d3UyXV1OR0aIWA

Comment 1 Dave Jones 2005-04-21 23:09:45 UTC
Alan Cox on rhkernel-list ..

--------------------------------------
NAK.

Because

1. arbitary SCSI command is CAP_SYS_RAWIO (firmware reprogram ...)
2. The midlayer has a proper command filter (which will need tuning for tape)
3. The tape device are usually root only owned.

I'd like to see #1/#2 fixed then its worth it.
-------------------------------------


#3 should make this not-so-urgent to fix ?

Comment 2 Mark J. Cox 2005-04-22 07:30:29 UTC
I'll move this from moderate to low severity as exploitation requires that an
administrator has explicity allowed tape devices to be controlled by other users.

Comment 3 Tom Coughlan 2005-05-17 21:47:03 UTC
For reference, this is the patch that has been tentatively agreed upon upstream.
It is not formally checked in yet, though, so I'll wait a bit before posting it
 on rhkernel-list. 

Adding to the proposed list for U2. 


From linux-scsi-owner@vger.kernel.org Sun May  1 14:10:18 2005

Date: 	Sun, 1 May 2005 21:11:55 +0300 (EEST)
From: Kai Makisara <Kai.Makisara@kolumbus.fi>

To: linux-scsi@vger.kernel.org
Subject: [PATCH 2.6] SCSI tape: fix permissions for SG_IO, etc.

This patch is against 2.6.12-rc3 + linus-patch from April 30. The patch
contains the following fixes:

- CAP_SYS_RAWIO is used instead of CAP_SYS_ADMIN; fix from Alan Cox
- only direct sending of SCSI commands requires this permission
- the st status is modified is successful unload is performed using
  SCSI_IOCTL_STOP_UNIT

Signed-off-by: Kai Makisara <kai.makisara@kolumbus.fi>

--- linux-2.6.12-rc3-300405/drivers/scsi/st.c	2005-04-05 22:36:16.000000000 +0300
+++ linux-2.6.12-rc3-300405-k1/drivers/scsi/st.c	2005-05-01 20:45:27.000000000 +0300
@@ -17,7 +17,7 @@
    Last modified: 18-JAN-1998 Richard Gooch <rgooch@atnf.csiro.au> Devfs support
  */
 
-static char *verstr = "20050312";
+static char *verstr = "20050501";
 
 #include <linux/module.h>
 
@@ -29,6 +29,7 @@ static char *verstr = "20050312";
 #include <linux/string.h>
 #include <linux/errno.h>
 #include <linux/mtio.h>
+#include <linux/cdrom.h>
 #include <linux/ioctl.h>
 #include <linux/fcntl.h>
 #include <linux/spinlock.h>
@@ -50,6 +51,7 @@ static char *verstr = "20050312";
 #include <scsi/scsi_host.h>
 #include <scsi/scsi_ioctl.h>
 #include <scsi/scsi_request.h>
+#include <scsi/sg.h>
 
 
 /* The driver prints some debugging information on the console if DEBUG
@@ -3463,7 +3465,10 @@ static int st_ioctl(struct inode *inode,
 		case SCSI_IOCTL_GET_BUS_NUMBER:
 			break;
 		default:
-			if (!capable(CAP_SYS_ADMIN))
+			if ((cmd_in == SG_IO ||
+			     cmd_in == SCSI_IOCTL_SEND_COMMAND ||
+			     cmd_in == CDROM_SEND_PACKET) &&
+			    !capable(CAP_SYS_RAWIO))
 				i = -EPERM;
 			else
 				i = scsi_cmd_ioctl(file, STp->disk, cmd_in, p);
@@ -3471,10 +3476,12 @@ static int st_ioctl(struct inode *inode,
 				return i;
 			break;
 	}
-	if (!capable(CAP_SYS_ADMIN) &&
-	    (cmd_in == SCSI_IOCTL_START_UNIT || cmd_in == SCSI_IOCTL_STOP_UNIT))
-		return -EPERM;
-	return scsi_ioctl(STp->device, cmd_in, p);
+	retval = scsi_ioctl(STp->device, cmd_in, p);
+	if (!retval && cmd_in == SCSI_IOCTL_STOP_UNIT) { /* unload */
+		STp->rew_at_close = 0;
+		STp->ready = ST_NO_TAPE;
+	}
+	return retval;
 
  out:
 	up(&STp->lock);



Comment 5 Mark J. Cox 2005-06-07 22:20:52 UTC
This bug should be public, the acks have broken that; please fix asap.

Comment 11 Red Hat Bugzilla 2005-10-05 13:01:55 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html



Note You need to log in before you can comment on or make changes to this bug.