Bug 118051

Summary: kdm should not read /dev/mem
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: russell, wtogami
Target Milestone: ---Keywords: Security, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-01 13:23:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    

Description Aleksey Nogin 2004-03-11 14:59:51 UTC 
I am seeing the following message:

Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc:  denied  {
read } for  pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
 
According to Russell Coker
 
> That's a bug in kdm.  It should use /dev/random instead.  Reading
arbitary 
> kernel memory as a source of random numbers is bogus anyway.
Comment 1 Aleksey Nogin 2004-03-12 06:21:17 UTC 
*** Bug 118123 has been marked as a duplicate of this bug. ***
Comment 2 Aleksey Nogin 2004-04-15 07:26:04 UTC 
I have looked at the code a bit. In order for this to work correctly,
the kdm/backend/genauth.c file has to be compiled with DEV_RANDOM
define set to "/dev/urandom". Configure creates kdm/backend/Imakefile
that contains the following:
#ifdef RandomDefines
RANDOM_DEFINES = RandomDefines
#elif defined(OpenBSDArchitecture)
RANDOM_DEFINES = -DARC4_RANDOM
#elif defined(LinuxArchitecture)
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"
#elif defined(NetBSDArchitecture) && \
  ((OSMajorVersion > 1) || \
   (OSMajorVersion == 1 && OSMinorVersion > 3))
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"
#endif

However, the  -DDEV_RANDOM=\"/dev/urandom\"  never makes it into the
actual Makefile.

P.S. A possible workaround is to add the "RandomDevice=/dev/urandom"
line to the "General" section of the kdmrc.

P.P.S. The same bug exists in xdm (not surprizingly - it appears that
the code was borrowed from xdm originally) - see bug 120914.

P.P.P.S. kdm complains "Cannot read randomFile "/dev/mem"; X cookies
may be easily guessable" because of this, so I guess this makes it a
security problem.
Comment 3 Than Ngo 2004-05-01 13:23:40 UTC 
i have added a fix for using urandom instead mem. It's fixed in
kdebase-3.2.2-3. Thanks for your report.