[LBo] Curious about a security issue
Stefan Waidele
Stefan at Waidele.info
Sun Feb 11 21:56:21 CET 2007
Dave Lerner schrieb:
> I'm curious about a security issue.
>
> I have the package lde (Linux Disk Editor) installed. It allows one to
> read/write raw data on the disk, evidently bypassing directory and file
> permissions.
>
> On my computer, that doesn't really matter, since I'm the only user.
>
> But what would stop someone from copying lde into his home directory on
> a multi-user server, and using it to read or modify other users' or
> root's files?
The access permissions on the device-file should take care of that.
stw at notebook:~$ ls -l /dev/hda
brw-rw---- 1 root disk 3, 0 1999-11-30 01:00 /dev/hda
Only root and those users in the disk-group should be able to use that
program (to access hda).
As it turned out in chat, it seems that in the Mepis default
configuration, regular users are in the "disk" group, which is a
security issue.
But I cannot verify that, since I don't run Mepis.
On Ubuntu (inheriting much of debian's security), it is not possible for
regular users to read the raw device file:
stw at notebook:~$ cat /dev/hda
cat: /dev/hda: Permission denied
But it is always good to watch out :)
Stefan
More information about the QnA
mailing list