[Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl)

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 22 Feb 2024 21:56:01 UTC

            Bug ID: 277228
           Summary: Device permissions security hole with partitioning
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: vince.bsd@hightek.org

Any user belonging to the 'operator' group has the power to completely delete
and re-create partition tables on all unmounted drive devices on the entire
system, just because the devices belong to that group, even if there is no read
or write access to the devices by the group.

It is very counter intuitive and unexpected to see devices that have no write
access and even no read access, yet be able to do something as critical as
delete the entire partition table by just belonging to the group, which creates
a significant security hole in FreeBSD that even the most seasoned systems
administrator can easily and unexpectedly fall into.  

If I want, for example, to give certain users the ability to partition and
write thumb drives, there is no way to do this by setting up a group and write
permission on the flash drive devices (/dev/da*).  It requires me make them
belong to the same group as /dev/geom.ctl which allows partitioning of every
device on the system.

Here are the default permissions for geom.ctl.
crw-r-----  1 root  operator  0xa Nov 16 11:50 /dev/geom.ctl

Here are the default permissions for the devices.
crw-r-----  1 root  operator  0x53 Nov 16 11:50 /dev/ada0
crw-r-----  1 root  operator  0x55 Nov 16 11:50 /dev/ada0p1

This is not limited, of course, to the operator group.  I can change the group
on the drive devices to any other group that I am a member of and even remove
read permission for the group on the drives and can still delete the partition

There is a more detailed discussion on the issue in the forum at
Title: gpart device permissions security hole (/dev/geom.ctl)

    Hopefully this will post in a readable format.  Preview is broken in both
firefox and chrome (just shows a blank window) and I discovered it apparently
has been for several years.


You are receiving this mail because:
You are the assignee for the bug.