Bug 118051 - kdm should not read /dev/mem
Summary: kdm should not read /dev/mem
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Ben Levenson
Keywords: Security, SELinux
: 118123 (view as bug list)
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
Reported: 2004-03-11 14:59 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-01 13:23:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Aleksey Nogin 2004-03-11 14:59:51 UTC
I am seeing the following message:

Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc:  denied  {
read } for  pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
tcontext=system_u:object_r:memory_device_t tclass=chr_file
According to Russell Coker
> That's a bug in kdm.  It should use /dev/random instead.  Reading
> kernel memory as a source of random numbers is bogus anyway.

Comment 1 Aleksey Nogin 2004-03-12 06:21:17 UTC
*** Bug 118123 has been marked as a duplicate of this bug. ***

Comment 2 Aleksey Nogin 2004-04-15 07:26:04 UTC
I have looked at the code a bit. In order for this to work correctly,
the kdm/backend/genauth.c file has to be compiled with DEV_RANDOM
define set to "/dev/urandom". Configure creates kdm/backend/Imakefile
that contains the following:
#ifdef RandomDefines
RANDOM_DEFINES = RandomDefines
#elif defined(OpenBSDArchitecture)
#elif defined(LinuxArchitecture)
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"
#elif defined(NetBSDArchitecture) && \
  ((OSMajorVersion > 1) || \
   (OSMajorVersion == 1 && OSMinorVersion > 3))
RANDOM_DEFINES = -DDEV_RANDOM=\"/dev/urandom\"

However, the  -DDEV_RANDOM=\"/dev/urandom\"  never makes it into the
actual Makefile.

P.S. A possible workaround is to add the "RandomDevice=/dev/urandom"
line to the "General" section of the kdmrc.

P.P.S. The same bug exists in xdm (not surprizingly - it appears that
the code was borrowed from xdm originally) - see bug 120914.

P.P.P.S. kdm complains "Cannot read randomFile "/dev/mem"; X cookies
may be easily guessable" because of this, so I guess this makes it a
security problem.

Comment 3 Ngo Than 2004-05-01 13:23:40 UTC
i have added a fix for using urandom instead mem. It's fixed in
kdebase-3.2.2-3. Thanks for your report.

Note You need to log in before you can comment on or make changes to this bug.