Description of problem: Running eject /dev/hda (my hard disc) as an unprivileged user causes /boot (and other filesystems) to be unmounted. The program returns an invalid argument error, but the following is left in dmesg: ide_do_rw_disk - bad command: dev hda: flags = REQ_RW REQ_SOFTBARRIER REQ_NOMERGE REQ_STARTED REQ_ELVPRIV REQ_BLOCK_PC sector 41895, nr/cnr 8/1 bio 00000000, biotail 00000000, buffer 00000000, data 00000000, len 0 cdb: 1b 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 Version-Release number of selected component (if applicable): kernel-2.6.18-1.2798.fc6 eject-2.1.5-4.1.fc6 How reproducible: Always. Steps to Reproduce: 1. eject /dev/hda Actual results: $ mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) /dev/hda2 on /boot type ext3 (rw) /dev/hda1 on /mnt/winxp type ntfs (ro,noexec,umask=0222) $ eject /dev/hda eject: unable to eject, last error: Invalid argument $ mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) Expected results: /boot and others stay mounted!
eject configures userhelper to allow unrestricted running by users at the console.
Still present in Fedora 7, eject-2.1.5-5 and usermode-1.91.1-1.
This also works when the drive is accessed through libata: $ eject /dev/sda unmounts /boot, but this time there are no error messages. Doesn't this count as a local DoS vulnerability?
In real world, if you're physically local user, you can do mostly everything so I don't think it counts as a real vulnerability.