[dm-crypt] An observation

Bhushan Jain bpjain at cs.stonybrook.edu
Tue Nov 27 18:25:59 CET 2012


Hello Developers,

I am a student at Stony Brook University researching system security.
I noticed that the only reason dmcrypt-get-device (from eject package) needs setuid privilege is to read the major:minor numbers (unless I have missed something).
A lot of distributions (Ubuntu, Fedora, etc.) are trying to avoid use of the setuid bit because it can potentially introduce a privilege escalation attack vector.
I think the same thing could be accomplished by exporting the major:minor device numbers through a proc file, and then eliminate the need for dmcrypt-get-device.
I would be happy to send you a patch that does this, if there is interest.  Any comments/thoughts?

Thanks,
Bhushan Jain
PhD student,
Computer Science,
Stony Brook University


More information about the dm-crypt mailing list