Bug 155354

Alan Cox on rhkernel-list ..

--------------------------------------
NAK.

Because

1. arbitary SCSI command is CAP_SYS_RAWIO (firmware reprogram ...)
2. The midlayer has a proper command filter (which will need tuning for tape)
3. The tape device are usually root only owned.

I'd like to see #1/#2 fixed then its worth it.
-------------------------------------


#3 should make this not-so-urgent to fix ?

I'll move this from moderate to low severity as exploitation requires that an
administrator has explicity allowed tape devices to be controlled by other users.

For reference, this is the patch that has been tentatively agreed upon upstream.
It is not formally checked in yet, though, so I'll wait a bit before posting it
 on rhkernel-list. 

Adding to the proposed list for U2. 


From linux-scsi-owner.org Sun May  1 14:10:18 2005

Date: 	Sun, 1 May 2005 21:11:55 +0300 (EEST)
From: Kai Makisara <Kai.Makisara>

To: linux-scsi.org
Subject: [PATCH 2.6] SCSI tape: fix permissions for SG_IO, etc.

This patch is against 2.6.12-rc3 + linus-patch from April 30. The patch
contains the following fixes:

- CAP_SYS_RAWIO is used instead of CAP_SYS_ADMIN; fix from Alan Cox
- only direct sending of SCSI commands requires this permission
- the st status is modified is successful unload is performed using
  SCSI_IOCTL_STOP_UNIT

Signed-off-by: Kai Makisara <kai.makisara>

--- linux-2.6.12-rc3-300405/drivers/scsi/st.c	2005-04-05 22:36:16.000000000 +0300
+++ linux-2.6.12-rc3-300405-k1/drivers/scsi/st.c	2005-05-01 20:45:27.000000000 +0300
@@ -17,7 +17,7 @@
    Last modified: 18-JAN-1998 Richard Gooch <rgooch.au> Devfs support
  */
 
-static char *verstr = "20050312";
+static char *verstr = "20050501";
 
 #include <linux/module.h>
 
@@ -29,6 +29,7 @@ static char *verstr = "20050312";
 #include <linux/string.h>
 #include <linux/errno.h>
 #include <linux/mtio.h>
+#include <linux/cdrom.h>
 #include <linux/ioctl.h>
 #include <linux/fcntl.h>
 #include <linux/spinlock.h>
@@ -50,6 +51,7 @@ static char *verstr = "20050312";
 #include <scsi/scsi_host.h>
 #include <scsi/scsi_ioctl.h>
 #include <scsi/scsi_request.h>
+#include <scsi/sg.h>
 
 
 /* The driver prints some debugging information on the console if DEBUG
@@ -3463,7 +3465,10 @@ static int st_ioctl(struct inode *inode,
 		case SCSI_IOCTL_GET_BUS_NUMBER:
 			break;
 		default:
-			if (!capable(CAP_SYS_ADMIN))
+			if ((cmd_in == SG_IO ||
+			     cmd_in == SCSI_IOCTL_SEND_COMMAND ||
+			     cmd_in == CDROM_SEND_PACKET) &&
+			    !capable(CAP_SYS_RAWIO))
 				i = -EPERM;
 			else
 				i = scsi_cmd_ioctl(file, STp->disk, cmd_in, p);
@@ -3471,10 +3476,12 @@ static int st_ioctl(struct inode *inode,
 				return i;
 			break;
 	}
-	if (!capable(CAP_SYS_ADMIN) &&
-	    (cmd_in == SCSI_IOCTL_START_UNIT || cmd_in == SCSI_IOCTL_STOP_UNIT))
-		return -EPERM;
-	return scsi_ioctl(STp->device, cmd_in, p);
+	retval = scsi_ioctl(STp->device, cmd_in, p);
+	if (!retval && cmd_in == SCSI_IOCTL_STOP_UNIT) { /* unload */
+		STp->rew_at_close = 0;
+		STp->ready = ST_NO_TAPE;
+	}
+	return retval;
 
  out:
 	up(&STp->lock);

This bug should be public, the acks have broken that; please fix asap.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html