gpart device permissions security hole (/dev/geom.ctl)

Reply: Peter 'PMc' Much: "Re: gpart device permissions security hole (/dev/geom.ctl)"
Reply: Vincent Stemen : "Re: gpart device permissions security hole (/dev/geom.ctl)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Vincent Stemen <vince.bsd_at_hightek.org>
Date: Sat, 17 Feb 2024 22:41:34 UTC

Hi.

In the process of writing some systems administration tools on FreeBSD
13.1-RELEASE to custom partition drives and setup computers for our network
and our customers, I have discovered that any user belonging to the
'operator' group has the power to completely delete the partition table and
wipe out the whole system, just because the drive devices belong to that
group, even if there is no read or write access to the devices by the group.
I had to do a lot of research to find out, via mention on the freebsd irc
after I asked and had considerable discussion, that these permissions are
granted by just having read access for the group for /dev/geom.ctl.  I found
no documentation in general searches explaining this and no mention of it in
the man pages such as for gpart or geom.

It seems like a bizarre design choice to me.  It is very counter intuitive
to see devices that have no write access and even no read access, yet be
able to do something as critical as delete the entire partition table by
just belonging to the group.

I have been a Unix systems administrator for well over 35 years and It's not
uncommon for administrators to belong to the operator group for restricted
admin tasks.  It is completely unexpected to discover the user can wipe out
the whole system.

https://unix.stackexchange.com/questions/11638/what-is-the-point-of-the-operator-user
    The concept of operators origins from the second generation of
    computers.  The operator was responsible for putting the cards on the
    machine for execution. When the execution was done, the operator would
    collect the output and the cards and deliver them back to the
    programmer.

    During the third generation, when the first UNIXes appeared, ...
    the user operator on UNIX systems was meant for doing low privileged
    administrative tasks (replacing tapes, backups, maintenance, etc.).

This is the purpose I have always understood and used the operator group for
in a variety of different Unix systems during all the years I have been
a systems administrator.

I have always thought that FreeBSD put high priority and great pride in the
security of the system, but this as substantial security hole.  I only
discovered it by complete accident during the development of our in-house
tools when I ran the scripts from my normal user account, which also belongs
to the operator group, during testing, expecting to get permission denied
errors, only to discover it successfully wiped out and re-wrote the
partition table.  Luckily I had specified my test device that was not being
used on the live running system.

I don't know the rationale behind this design decision, and perhaps there
are good reasons for it from certain perspectives, but whatever it is, it
does not change that fact that it creates a massive security hole in FreeBSD
that even the most seasoned systems administrator can easily and
unexpectedly fall into.

Here are the default permissions for geom.ctl.
crw-r-----  1 root  operator  0xa Nov 16 11:50 /dev/geom.ctl

Here are the default permissions for the devices.
crw-r-----  1 root  operator  0x53 Nov 16 11:50 /dev/ada0
crw-r-----  1 root  operator  0x55 Nov 16 11:50 /dev/ada0p1
...

This is not limited, of course, to the operator group.  I can change the
group on the drive devices to any other group that I am a member of and even
remove read permission for the group on the drives and can still delete the
partition table.

I have never seen such behaviour in any other Unix environment.