Debian Bug report logs -
#294968
udev: security implications of /.dev
Reported by: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 12 Feb 2005 19:03:04 UTC
Severity: normal
Found in version 0.051-1
Fixed in version udev/0.054-3
Done: Marco d'Itri <md@linux.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#294968; Package udev.
(full text, mbox, link).
Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
New Bug report received and forwarded. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: udev
Version: 0.051-1
Severity: normal
Udev mounts the legacy /dev on /.udev optionally. So far so good. It is a
very handy thing when you need to make sure something will be there before
udev starts.
OTOH, if one does not remember to keep it updated re. permissions, it is a
security liability.
Please move the mount point to inside a root-onwed, 700 directory. For
example, creating /.udev mode 700, then creating boottime-dev inside it as
the mountpoint for the bind mount.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-debian5+libata9dev1+bluesmoke
Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1)
Versions of packages udev depends on:
ii hotplug 0.0.20040329-16 Linux Hotplug Scripts
ii initscripts 2.86.ds1-1 Standard scripts needed for bootin
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii makedev 2.3.1-76 creates device files in /dev
ii sed 4.1.4-2 The GNU sed stream editor
-- debconf information excluded
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#294968; Package udev.
(full text, mbox, link).
Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #10 received at 294968@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Feb 12, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> OTOH, if one does not remember to keep it updated re. permissions, it is a
> security liability.
Good point. But moving /.dev/ needs to be coordinated with other
packages, so it cannot happen right now.
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Tags added: pending
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Marco d'Itri <md@linux.it>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 294968-close@bugs.debian.org (full text, mbox, reply):
Source: udev
Source-Version: 0.054-3
We believe that the bug you reported is fixed in the latest version of
udev, which is due to be installed in the Debian FTP archive:
udev_0.054-3.diff.gz
to pool/main/u/udev/udev_0.054-3.diff.gz
udev_0.054-3.dsc
to pool/main/u/udev/udev_0.054-3.dsc
udev_0.054-3_i386.deb
to pool/main/u/udev/udev_0.054-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 294968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco d'Itri <md@linux.it> (supplier of updated udev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 15 Mar 2005 11:55:38 +0100
Source: udev
Binary: udev udev-udeb
Architecture: source i386
Version: 0.054-3
Distribution: unstable
Urgency: high
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Marco d'Itri <md@linux.it>
Description:
udev - /dev/ management daemon
Closes: 294968 298192
Changes:
udev (0.054-3) unstable; urgency=high
.
* Do not use udevsend as the hotplug multiplexer on kernels < 2.6.10
because they generate out of order hotplug events.
* Use /dev/.static/dev/ instead of /.dev/ to keep the root clean and
to not leave around devices with possibly insecure permissions.
This requires raising the versioned dependency on makedev to 2.3.1-77.
(Closes: #294968)
* Added upstream patch udev-segfault-DRIVER.patch to fix a segfault when
matching a non-initialized DRIVER. (Closes: #298192)
* devfs.rules, udev.rules: added the AOE character devices.
Files:
702746f06a0f30609e0c1d1eb3e8c9ef 561 admin extra udev_0.054-3.dsc
c93d4a5f9a5c200663203ec60521188f 27889 admin extra udev_0.054-3.diff.gz
ec707811a1cb1cff7a3488cc1c9cfdfd 221342 admin extra udev_0.054-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNsEzFGfw2OHuP7ERAlsTAJ9DHutt+5wc11N1Ka1NStXHGU1KTgCfQ0fi
3tqvmcigQOgvN9BpBGu/xSU=
=nYO5
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Aug 14 22:49:35 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.