Bug 155354 - 20050313 SCSI tape security
20050313 SCSI tape security
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Coughlan
Brian Brock
http://www.mail-archive.com/linux-scs...
: Security
Depends On:
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-04-19 10:26 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 09:01:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-04-19 10:26:29 EDT
See URL for full details.  "Any user who has been granted permissions to access
a SCSI tape device can send some commands, which may cause it to become unusable
for other users."

Fix:
http://linux.bkbits.net:8080/linux-2.6/cset@42373cf23YEvgue3d3UyXV1OR0aIWA
Comment 1 Dave Jones 2005-04-21 19:09:45 EDT
Alan Cox on rhkernel-list ..

--------------------------------------
NAK.

Because

1. arbitary SCSI command is CAP_SYS_RAWIO (firmware reprogram ...)
2. The midlayer has a proper command filter (which will need tuning for tape)
3. The tape device are usually root only owned.

I'd like to see #1/#2 fixed then its worth it.
-------------------------------------


#3 should make this not-so-urgent to fix ?
Comment 2 Mark J. Cox (Product Security) 2005-04-22 03:30:29 EDT
I'll move this from moderate to low severity as exploitation requires that an
administrator has explicity allowed tape devices to be controlled by other users.
Comment 3 Tom Coughlan 2005-05-17 17:47:03 EDT
For reference, this is the patch that has been tentatively agreed upon upstream.
It is not formally checked in yet, though, so I'll wait a bit before posting it
 on rhkernel-list. 

Adding to the proposed list for U2. 


From linux-scsi-owner@vger.kernel.org Sun May  1 14:10:18 2005

Date: 	Sun, 1 May 2005 21:11:55 +0300 (EEST)
From: Kai Makisara <Kai.Makisara@kolumbus.fi>

To: linux-scsi@vger.kernel.org
Subject: [PATCH 2.6] SCSI tape: fix permissions for SG_IO, etc.

This patch is against 2.6.12-rc3 + linus-patch from April 30. The patch
contains the following fixes:

- CAP_SYS_RAWIO is used instead of CAP_SYS_ADMIN; fix from Alan Cox
- only direct sending of SCSI commands requires this permission
- the st status is modified is successful unload is performed using
  SCSI_IOCTL_STOP_UNIT

Signed-off-by: Kai Makisara <kai.makisara@kolumbus.fi>

--- linux-2.6.12-rc3-300405/drivers/scsi/st.c	2005-04-05 22:36:16.000000000 +0300
+++ linux-2.6.12-rc3-300405-k1/drivers/scsi/st.c	2005-05-01 20:45:27.000000000 +0300
@@ -17,7 +17,7 @@
    Last modified: 18-JAN-1998 Richard Gooch <rgooch@atnf.csiro.au> Devfs support
  */
 
-static char *verstr = "20050312";
+static char *verstr = "20050501";
 
 #include <linux/module.h>
 
@@ -29,6 +29,7 @@ static char *verstr = "20050312";
 #include <linux/string.h>
 #include <linux/errno.h>
 #include <linux/mtio.h>
+#include <linux/cdrom.h>
 #include <linux/ioctl.h>
 #include <linux/fcntl.h>
 #include <linux/spinlock.h>
@@ -50,6 +51,7 @@ static char *verstr = "20050312";
 #include <scsi/scsi_host.h>
 #include <scsi/scsi_ioctl.h>
 #include <scsi/scsi_request.h>
+#include <scsi/sg.h>
 
 
 /* The driver prints some debugging information on the console if DEBUG
@@ -3463,7 +3465,10 @@ static int st_ioctl(struct inode *inode,
 		case SCSI_IOCTL_GET_BUS_NUMBER:
 			break;
 		default:
-			if (!capable(CAP_SYS_ADMIN))
+			if ((cmd_in == SG_IO ||
+			     cmd_in == SCSI_IOCTL_SEND_COMMAND ||
+			     cmd_in == CDROM_SEND_PACKET) &&
+			    !capable(CAP_SYS_RAWIO))
 				i = -EPERM;
 			else
 				i = scsi_cmd_ioctl(file, STp->disk, cmd_in, p);
@@ -3471,10 +3476,12 @@ static int st_ioctl(struct inode *inode,
 				return i;
 			break;
 	}
-	if (!capable(CAP_SYS_ADMIN) &&
-	    (cmd_in == SCSI_IOCTL_START_UNIT || cmd_in == SCSI_IOCTL_STOP_UNIT))
-		return -EPERM;
-	return scsi_ioctl(STp->device, cmd_in, p);
+	retval = scsi_ioctl(STp->device, cmd_in, p);
+	if (!retval && cmd_in == SCSI_IOCTL_STOP_UNIT) { /* unload */
+		STp->rew_at_close = 0;
+		STp->ready = ST_NO_TAPE;
+	}
+	return retval;
 
  out:
 	up(&STp->lock);

Comment 5 Mark J. Cox (Product Security) 2005-06-07 18:20:52 EDT
This bug should be public, the acks have broken that; please fix asap.
Comment 11 Red Hat Bugzilla 2005-10-05 09:01:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html

Note You need to log in before you can comment on or make changes to this bug.