Bug 118051 - kdm should not read /dev/mem
kdm should not read /dev/mem
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
: Security, SELinux
: 118123 (view as bug list)
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
 
Reported: 2004-03-11 09:59 EST by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-01 09:23:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-03-11 09:59:51 EST
I am seeing the following message:

Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc:  denied  {
read } for  pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
 
According to Russell Coker
 
> That's a bug in kdm.  It should use /dev/random instead.  Reading
arbitary 
> kernel memory as a source of random numbers is bogus anyway.
Comment 1 Aleksey Nogin 2004-03-12 01:21:17 EST
*** Bug 118123 has been marked as a duplicate of this bug. ***
Comment 2 Aleksey Nogin 2004-04-15 03:26:04 EDT
I have looked at the code a bit. In order for this to work correctly,
the kdm/backend/genauth.c file has to be compiled with DEV_RANDOM
define set to "/dev/urandom". Configure creates kdm/backend/Imakefile
that contains the following:
#ifdef RandomDefines
RANDOM_DEFINES = RandomDefines
#elif defined(OpenBSDArchitecture)
RANDOM_DEFINES = -DARC4_RANDOM
#elif defined(LinuxArchitecture)
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"
#elif defined(NetBSDArchitecture) && \
  ((OSMajorVersion > 1) || \
   (OSMajorVersion == 1 && OSMinorVersion > 3))
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"
#endif

However, the  -DDEV_RANDOM=\"/dev/urandom\"  never makes it into the
actual Makefile.

P.S. A possible workaround is to add the "RandomDevice=/dev/urandom"
line to the "General" section of the kdmrc.

P.P.S. The same bug exists in xdm (not surprizingly - it appears that
the code was borrowed from xdm originally) - see bug 120914.

P.P.P.S. kdm complains "Cannot read randomFile "/dev/mem"; X cookies
may be easily guessable" because of this, so I guess this makes it a
security problem.
Comment 3 Ngo Than 2004-05-01 09:23:40 EDT
i have added a fix for using urandom instead mem. It's fixed in
kdebase-3.2.2-3. Thanks for your report.

Note You need to log in before you can comment on or make changes to this bug.