[dm-crypt] An observation

Bhushan Jain bpjain at cs.stonybrook.edu
Wed Jul 10 05:15:00 CEST 2013


Hi Karl,
You are absolutely correct. I have submitted a patch to Debian eject package to use /sys instead as you suggested. However, somehow, it is not integrated yet. You can take a look at the thread here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695504


Thanks,
Bhushan

On Jul 9, 2013, at 10:10 PM, "Karl O. Pinc" <kop at meme.com<mailto:kop at meme.com>> wrote:

On 11/27/2012 11:25:59 AM, Bhushan Jain wrote:
Hello Developers,

I am a student at Stony Brook University researching system security.
I noticed that the only reason dmcrypt-get-device (from eject
package)
needs setuid privilege is to read the major:minor numbers (unless I
have missed something).
A lot of distributions (Ubuntu, Fedora, etc.) are trying to avoid use
of the setuid bit because it can potentially introduce a privilege
escalation attack vector.
I think the same thing could be accomplished by exporting the
major:minor device numbers through a proc file, and then eliminate
the
need for dmcrypt-get-device.
I would be happy to send you a patch that does this, if there is
interest.  Any comments/thoughts?

Speaking from ignorance, isn't there something in /sys with this
information?  If so a patch to read from that might be better.
I'm ignorant, but I've this feeling that /proc is frowned upon.

Regards,

Karl <kop at meme.com<mailto:kop at meme.com>>
Free Software:  "You don't pay back, you pay forward."
                -- Robert A. Heinlein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20130710/5641f3dd/attachment.html>


More information about the dm-crypt mailing list