Package: udev Version: 164-3 Severity: important Tags: security
Udev sets device permissions too loose when system runs from removable media. It should see that root filesystem is there and allow access by disk group only. Here is example (sda is internal disk, sdb is SD memory card where Debian is installed and running now) ------------------------------------------------------- root@lisko:~# ls -l /dev/sd* brw-rw---- 1 root disk 8, 0 Oct 16 01:17 /dev/sda brw-rw---- 1 root disk 8, 1 Oct 16 01:17 /dev/sda1 brw-rw---- 1 root disk 8, 2 Oct 16 01:17 /dev/sda2 brw-rw---- 1 root disk 8, 3 Oct 16 01:17 /dev/sda3 brw-rw---- 1 root disk 8, 4 Oct 16 01:17 /dev/sda4 brw-rw---- 1 root disk 8, 5 Oct 16 01:17 /dev/sda5 brw-rw---- 1 root floppy 8, 16 Oct 16 01:26 /dev/sdb brw-rw---- 1 root floppy 8, 17 Oct 16 01:17 /dev/sdb1 root@lisko:~# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sdb1 7592316 6055756 1459428 81% / ------------------------------------------------------- -- System Information: Debian Release: 6.0.3 APT prefers stable Architecture: i386 (x86_64) Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages udev depends on: ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii libudev0 164-3 libudev shared library ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii util-linux 2.17.2-9 Miscellaneous system utilities Versions of packages udev recommends: ii pciutils 1:3.1.7-6 Linux PCI Utilities ii usbutils 0.87-5squeeze1 Linux USB utilities udev suggests no packages. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
