Bug 214504

Summary: Unprivileged eject /dev/hda unmounts /boot
Product: [Fedora] Fedora Reporter: James <james>
Component: ejectAssignee: Zdenek Prikryl <zprikryl>
Status: CLOSED DEFERRED QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 7CC: mitr, mmahut, tmraz, vapier, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-10 21:01:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James 2006-11-07 21:31:22 UTC 
Description of problem:
Running eject /dev/hda (my hard disc) as an unprivileged user causes /boot (and
other filesystems) to be unmounted. The program returns an invalid argument
error, but the following is left in dmesg:

ide_do_rw_disk - bad command: dev hda: flags = REQ_RW REQ_SOFTBARRIER
REQ_NOMERGE REQ_STARTED REQ_ELVPRIV REQ_BLOCK_PC 
sector 41895, nr/cnr 8/1
bio 00000000, biotail 00000000, buffer 00000000, data 00000000, len 0
cdb: 1b 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 


Version-Release number of selected component (if applicable):
kernel-2.6.18-1.2798.fc6
eject-2.1.5-4.1.fc6

How reproducible:
Always.

Steps to Reproduce:
1. eject /dev/hda
  
Actual results:

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hda2 on /boot type ext3 (rw)
/dev/hda1 on /mnt/winxp type ntfs (ro,noexec,umask=0222)

$ eject /dev/hda
eject: unable to eject, last error: Invalid argument

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)


Expected results:
/boot and others stay mounted!
Comment 1 Miloslav Trmač 2007-03-10 05:38:41 UTC 
eject configures userhelper to allow unrestricted running by users at the console.
Comment 2 James 2007-06-08 16:47:41 UTC 
Still present in Fedora 7, eject-2.1.5-5 and usermode-1.91.1-1.
Comment 3 James 2007-06-19 18:27:17 UTC 
This also works when the drive is accessed through libata:

$ eject /dev/sda

unmounts /boot, but this time there are no error messages. Doesn't this count as
a local DoS vulnerability?
Comment 4 Marek Mahut 2007-08-16 21:03:08 UTC 
In real world, if you're physically local user, you can do mostly everything so
I don't think it counts as a real vulnerability.