Bug#788662: Logged-in user no longer granted permission to removable disks

Mon May 27 00:28:27 BST 2024

Control: tags -1 wontfix
Control: close -1

On Mon, 18 Jan 2021 14:45:17 -0800 Josh Triplett
<josh at joshtriplett.org> wrote:
> On Thu, Jan 14, 2021 at 03:13:31PM +0100, Michael Biebl wrote:
> > Hi Josh
> > 
> > Am 15.06.15 um 17:56 schrieb Josh Triplett:
> > > On Mon, Jun 15, 2015 at 12:36:45PM +0200, Michael Biebl wrote:
> > > > Am 15.06.2015 um 07:34 schrieb Martin Pitt:
> > > > > Hey Josh,
> > > > > 
> > > > > Josh Triplett [2015-06-13 16:23 -0700]:
> > > > > > I plugged in a removable USB disk, and its devices showed
up as root:disk 0660,
> > > > > > with no ACLs.  Normally, I'd expect removable USB disks to
grant
> > > > > > read/write permission to the logged-in user.
> > > > > > ~$ ls -l /dev/sdb*
> > > > > > brw-rw---- 1 root disk 8, 16 Jun 13 16:17 /dev/sdb
> > > > > > brw-rw---- 1 root disk 8, 17 Jun 13 16:17 /dev/sdb1
> > > > > 
> > > > > That's expected. As Michael already said, we never explicitly
granted
> > > > > user access to device nodes. Maybe in the past some devices
got that
> > > > > through specific group membership, or you had some custom
udev rules
> > > > > to do that; but throughout the history of pmount, hal,
consolekit,
> > > > > udev etc. in Debian the device nodes themselves weren't user
> > > > > accessible in general. The main exception there that I
remember is
> > > > > Fedora's/Red Hat's ancient console_helper (or something
similar) which
> > > > > actually changed the device nodes themselves. But that was
some decade
> > > > > ago already..
> > > > 
> > > > I checked wheezy, and it had the following rules:
> > > > 91-permissions: SUBSYSTEM=="block", ATTRS{removable}=="1",
GROUP="floppy"
> > > > 91-permissions: SUBSYSTEM=="block",
SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", GROUP="floppy"
> > > > 
> > > > See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751892
> > > > 
> > > > Maybe we should merge those two bug reports?
> > > 
> > > Merging them seems fine, but I do think this functionality from
wheezy
> > > should be restored.  Not using the "floppy" group or any static
group,
> > > but using the uaccess mechanism.
> > > 
> > > Either that, or there should be a NEWS.Debian entry somewhere
> > > documenting that direct device access by users was removed and
won't
> > > come back for security reasons.  But I don't see an obvious
reason why
> > > removable USB disk devices should not be accessible to users.
> > 
> > I'm looking at older bug reports and I'm wondering what to do about
this
> > one. I guess the time for a NEWS entry has passed.
> > Regarding granting access to "removable" media write access via
uaccess, I'm
> > not strictly against that, I just would prefer this to happen and
be
> > implemented upstream. One problematic issue I can imagine is that
it's not
> > trivial to reliably determine whether a disk is really removable or
not.
> > That said, if you are still interested, would you mind filing an
upstream
> > bug report at https://github.com/systemd/systemd/issues.
> 
> Filed upstream as https://github.com/systemd/systemd/issues/18304 .
> 
> Thank you again for all your work on systemd and udev, including
triage!

As mentioned in the bug report, giving unrestricted access to block
devices to unprivileged users is really not safe on Linux, so this is
not going to happen by default. udev rules can be configured locally
just as well, so one can do that on their own machine if these security
issues are not a problem.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240527/90f7f4ad/attachment-0001.sig>