On Thu, Jan 04, 2007 at 05:13:44PM +0100, Marco d'Itri wrote:
> On Jan 04, dann frazier <[EMAIL PROTECTED]> wrote:
>
> > Mark Salyzyn's reply on LKML suggests that this problem maybe more
> > widespread and possibly difficult audit on the kernel side. Could
> > we do something like change the default block/removable device to
> > GROUP=disk, and override fd type devices w/ GROUP=floppy? This seems
> > like a more secure default for etch, given the circumstances.
> There is much more than "fd type devices" which need to be removable so
> if this needs to be worked around in udev
Right - but what I'm suggesting is that we change the default group
for removable block devices from "floppy" to "disk".
e.g., something like this untested patch:
--- permissions.rules.orig 2007-01-04 09:21:29.000000000 -0700
+++ permissions.rules 2007-01-04 09:22:30.000000000 -0700
@@ -11,7 +11,10 @@
# default permissions for block devices
SUBSYSTEM=="block", GROUP="disk"
-SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="floppy"
+SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="disk"
+
+# floppy devices
+KERNEL=="fd[0-9]*", GROUP="floppy"
# IDE devices
KERNEL=="hd[a-z]|pcd[0-9]*", DRIVERS=="ide-cdrom|pcd", \
That seems like a far more secure default for Debian, given that no
users are in the "disk" group by default.
> I'd rather use an explicit list of broken drivers.
In the lifetime of etch, people will be using drivers we haven't yet
seen. Its less of a risk that this will be a floppy device, and it
would have less of an impact.
> BTW, I understand that HAL and maybe pmount will show the same issue.
ok - how so?
> I also wonder why no other distribution noticed this.
Its probably worth asking on the udev list - you want me to do this?
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
