Re: ide-cd problems

From: Zinx Verituse
Date: Sat Jul 31 2004 - 16:05:46 EST

Next message: Benjamin Herrenschmidt: "Re: Solving suspend-level confusion"
Previous message: Erik Rigtorp: "problem with new swsusp"
In reply to: Jens Axboe: "Re: ide-cd problems"
Next in thread: Alexander E. Patrakov: "Re: ide-cd problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jul 31, 2004 at 10:00:36PM +0200, Jens Axboe wrote:
> On Sat, Jul 31 2004, Zinx Verituse wrote:
> > On Sat, Jul 31, 2004 at 05:36:10PM +0200, Jens Axboe wrote:
> > > On Fri, Jul 30 2004, Zinx Verituse wrote:
> > > > I'm going to bump this topic a bit, since it's been a while..
> > > > There are still some issues with ide-cd's SG_IO, listed from
> > > > most important as percieved by me to least:
> > > >
> > > > * Read-only access grants you the ability to write/blank media in the drive
> > > > * (with above) You can open the device only in read-only mode.
> > >
> > > That's by design. Search linux-scsi or this list for why that is so.
> >
> > The only thing I can find on the linux-scsi list is refering to sg
> > devices, which are on a different device node from the non-generic
> > device. This means you can still allow users read access to the disk
> > without allowing them to send random commands to the disk -- this isn't
> > currently possible with the IDE interface, since the device with
> > generic access is the same as the one with the original read/cdrom
> > commands access.
> >
> > As it is, it's impossible grant users read-only access to an IDE cd-rom
> > without allowing them to do things like replacing the firmware with a
> > malicious/non-working one.
> >
> > Generic access allowing such things is fine; but only if we can grant
> > non-generic access without granting generic access.
>
> If you want it to work that way, you have the have a pass-through filter
> in the kernel knowing what commands are out there (including vendor
> specific ones). That's just too ugly and not really doable or
> maintainable, sorry.
>
> If you have access to issue ioctls to the device, you have access to
> send it arbitrary commands - period.

I don't believe command filtering is neccessary, since all of the
ide-cd ioctls are still there (ioctls that allow playing, reading, etc)
Only the SG_IO ioctl itself would have to be checked (i.e., not each
individual command available with SG_IO, just the overall ioctl itself,
categorizing all of SG_IO more or less as raw IO. If this isn't doable
with the current design, then the ide-cd interface should at least be
very conspicuously documented as being extremely insecure as far as
"read" access is concerned, as I know I wouldn't expect users to be able
to overwrite my drive's firmware simply by granting the read access.

--
Zinx Verituse http://zinx.xmms.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Benjamin Herrenschmidt: "Re: Solving suspend-level confusion"
Previous message: Erik Rigtorp: "problem with new swsusp"
In reply to: Jens Axboe: "Re: ide-cd problems"
Next in thread: Alexander E. Patrakov: "Re: ide-cd problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]