[dm-crypt] An observation

Karl O. Pinc kop at meme.com
Wed Jul 10 04:10:02 CEST 2013


On 11/27/2012 11:25:59 AM, Bhushan Jain wrote:
> Hello Developers,
> 
> I am a student at Stony Brook University researching system security.
> I noticed that the only reason dmcrypt-get-device (from eject 
> package)
> needs setuid privilege is to read the major:minor numbers (unless I
> have missed something).
> A lot of distributions (Ubuntu, Fedora, etc.) are trying to avoid use
> of the setuid bit because it can potentially introduce a privilege
> escalation attack vector.
> I think the same thing could be accomplished by exporting the
> major:minor device numbers through a proc file, and then eliminate 
> the
> need for dmcrypt-get-device.
> I would be happy to send you a patch that does this, if there is
> interest.  Any comments/thoughts?

Speaking from ignorance, isn't there something in /sys with this
information?  If so a patch to read from that might be better.
I'm ignorant, but I've this feeling that /proc is frowned upon.

Regards,

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


More information about the dm-crypt mailing list