Re: gpart device permissions security hole (/dev/geom.ctl)

On Thu, Feb 22, 2024 at 01:12:23PM -0000, Peter 'PMc' Much wrote:
> On 2024-02-17, Vincent Stemen <vince.bsd@hightek.org> wrote:
> >
> > I have been a Unix systems administrator for well over 35 years and It's not
> > uncommon for administrators to belong to the operator group for restricted
> > admin tasks.  It is completely unexpected to discover the user can wipe out
> > the whole system.
> 
> Removing the number plate from your house doesn't destroy the house.
> It only might stop it from being accessed by people.

BTW, correction to my original statement.  The operator can only modify
unmounted partitions.  So any unmounted partitions or partitioned drives
on standby for failover, backups, etc, can have their partitions deleted
or changed, which will certainly stop access to the data on those
devices.

So stopping access to your data isn't much different than destroying it
if you can never find it again.  If you have a house somewhere in the
country, with no address, other than perhaps what state it is in (which
drive), have fun finding it.   So your analogy is a distinction without
a difference.  Not only that, if the partition table gets modified
without the sys-admin realizing it, and it gets written to, it most
certainly can destroy the data.

The way it is currently, there is apparently no way to grant individual
permissions to a user, through the operator or any other group to, for
example, partition a thumb drive, because permission to modify
partitions is controlled for all geom devices via the one /dev/geom.ctl
file.    

We also discussed this issue more extensively in the forum.
https://forums.freebsd.org/threads/gpart-device-permissions-security-hole-dev-geom-ctl.92397/