Bug 214504 - Unprivileged eject /dev/hda unmounts /boot
Unprivileged eject /dev/hda unmounts /boot
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: eject (Show other bugs)
7
All Linux
medium Severity high
: ---
: ---
Assigned To: Zdenek Prikryl
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-07 16:31 EST by James
Modified: 2008-02-10 16:01 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-10 16:01:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James 2006-11-07 16:31:22 EST
Description of problem:
Running eject /dev/hda (my hard disc) as an unprivileged user causes /boot (and
other filesystems) to be unmounted. The program returns an invalid argument
error, but the following is left in dmesg:

ide_do_rw_disk - bad command: dev hda: flags = REQ_RW REQ_SOFTBARRIER
REQ_NOMERGE REQ_STARTED REQ_ELVPRIV REQ_BLOCK_PC 
sector 41895, nr/cnr 8/1
bio 00000000, biotail 00000000, buffer 00000000, data 00000000, len 0
cdb: 1b 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 


Version-Release number of selected component (if applicable):
kernel-2.6.18-1.2798.fc6
eject-2.1.5-4.1.fc6

How reproducible:
Always.

Steps to Reproduce:
1. eject /dev/hda
  
Actual results:

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hda2 on /boot type ext3 (rw)
/dev/hda1 on /mnt/winxp type ntfs (ro,noexec,umask=0222)

$ eject /dev/hda
eject: unable to eject, last error: Invalid argument

$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)


Expected results:
/boot and others stay mounted!
Comment 1 Miloslav Trmač 2007-03-10 00:38:41 EST
eject configures userhelper to allow unrestricted running by users at the console.  
Comment 2 James 2007-06-08 12:47:41 EDT
Still present in Fedora 7, eject-2.1.5-5 and usermode-1.91.1-1.
Comment 3 James 2007-06-19 14:27:17 EDT
This also works when the drive is accessed through libata:

$ eject /dev/sda

unmounts /boot, but this time there are no error messages. Doesn't this count as
a local DoS vulnerability?
Comment 4 Marek Mahut 2007-08-16 17:03:08 EDT
In real world, if you're physically local user, you can do mostly everything so
I don't think it counts as a real vulnerability.

Note You need to log in before you can comment on or make changes to this bug.