Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 4390 - bad default permissions on various things in /dev
bad default permissions on various things in /dev
Product: Red Hat Linux
Classification: Retired
Component: dev (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael K. Johnson
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-08-06 01:26 EDT by wingc
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-09-20 11:58:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description wingc 1999-08-06 01:26:08 EDT
This was discussed on Bugtraq last year, but it's worth
reporting as a 'bug' in my opinion:

- various "legacy" cd-rom device files are world-readable by
default. These include:

The problem is that in a default RedHat 6.0 installation, if
any user attempts to 'cat' these files, it will trigger a
module load request by the kernel which results in a kernel
module actually being loaded.

The driver modules for these old ISA cd-roms seem to perform
somewhat dangerous probes to determine if a device is
actually present, cauing the system to freeze up for several
seconds or more.

In fact, depending upon the hardware present in a given
machine, loading one of these modules may even cause a

I was able to completely lock up many machines running Red
Hat 5.2 by 'cat'ing some of these cd-rom device files as a
non-root user. The same is probably true on Red Hat 6.0
depending on the machine. (basically, if there is a conflict
between the probing done by the old cd-rom driver and the
hardware in your computer, it may cause a freeze)

Also, the mouse device files in /dev are world-readable by
default. This may cause problems because I don't think that
the kernel supports multiple readers on these files-- if a
process opens them and tries to read, it may be able to lock
out the X server from reading, or cause the mouse to behave
erratically, etc.


There may be other problematic device files as well.

Some sound device files in /dev are world-readable too, for
instance (/dev/sndstat for one); any user can cause the
'soundcore', 'soundlow', and 'sound' modules to be loaded by
cat-ing them, although this is probably not a security

I would recommend making at least the 'legacy' cd-rom and
mouse device files non world-readable/writable by default in
Red Hat.


Chris Wing
Comment 1 Preston Brown 1999-08-18 14:08:59 EDT
Michael, o maintainer of the dev package, do you want to fix this?  :)
Comment 2 Michael K. Johnson 1999-09-20 11:58:59 EDT
Fixed in dev-2.7.9 -- thanks for the suggestions.
While I was at it, I noticed that some of the legacy cdrom
devices weren't group disk, so I fixed that as well.

Note You need to log in before you can comment on or make changes to this bug.