SCSI command filtering
It is almost certainly true that no user ever destroyed a CD drive with a 2.6.8 system. In fact, very few of them even wrote discs; the filtering at that stage was so severe that unprivileged users could not do anything useful at all. Subsequent updates made things better, however, and by about 2.6.10 burning worked again for most users.
Not for all users, however. As Dave Jones recently noted on the linux-scsi list, the command filtering still trips up some Plextor drives. The cdrecord utility tries to send vendor-specific commands to those drives, but the kernel filters them out. Everything then comes to a halt, and the user must retry the operation as root to get the job done. Dave asked: might it be a good idea to add a per-vendor exceptions capability to the filtering code?
The response which came back from a couple of block subsystem developers was that the command filtering should simply be taken out altogether. Evidently this topic had been discussed at the recent storage summit, and the participants had agreed that this feature should be removed. James Bottomley put it this way:
So I think ripping the table out and acknowledging we have no security is better than giving the illusion of having it.
There are a number of complaints about the filtering code. It is a way of encoding policy in the kernel, which is generally frowned upon - even though the policy, in this case, is really an attempt to enforce a difference between access to a disc within a drive and access to the drive itself. The command list will never be entirely correct; it seems that some drives must receive the appropriate, vendor-specific incantations or they will refuse to write discs. Some commands mean different things to different types of devices; what's safe for a CD burner might be a destructive operation on a different SCSI-like device. It also doesn't help that there are, in fact, two different SCSI command filters in the kernel (one in drivers/scsi/sg.c, the other in block/scsi_ioctl.c) which implement different policies. For all of these reasons, attendees at the storage summit apparently agreed to take the filtering out.
There's just one little problem with this plan: Linus feels differently about filtering:
This statement would appear to be pretty damn final. That does not mean that the situation cannot be improved, however. The leading idea at the moment would appear to be to allow a privileged user to make changes to the command filter table. Distributions could then ship tools which detect problematic devices and modify the filtering tables accordingly; the whole thing could be transparently integrated with the hotplug functionality. Jens Axboe has a patch (originally from Peter Jones) which turns the filter list into a per-device object, tweakable through sysfs, so each device could have its own set of exceptions.
Just how this interface works may yet require some discussion to nail
down. But the configurable, per-device filter looks like the way forward.
It retains the filtering of dangerous commands while moving the policy
decisions to user space. Once the policy can be changed, distributors can
do the work to ensure that specific devices are well supported, or, if they
prefer, simply mark all commands as "allowed" and, for all practical
purposes, remove the filter altogether.
| Index entries for this article | |
|---|---|
| Kernel | CD recording |
| Kernel | SCSI/Command filtering |
| Kernel | Security/SCSI command filtering |
Posted Aug 3, 2006 11:02 UTC (Thu)
by NRArnot (subscriber, #3033)
[Link] (2 responses)
The kernel should definitely offer the hooks for SCSI command filtering, so that an unprivileged user can't fry the hardware. It's really no different to stopping him from oopsing the OS or corrupting the filestore. However, the details of the filtering for each model of drive need not be the responsibility of the kernel maintainers, when they can be tweaked via a system startup script. Let ZZZ, or someone who maintains ZZZ burners, supply the necessary definitions for a ZZZ-1234 drive, if the defaults are unsafe or over-restrictive. There's an analogy with netfilter here. Who would argue for the removal of netfilter, even though its default state is to do nothing?
Posted Aug 3, 2006 14:47 UTC (Thu)
by pjones (subscriber, #31722)
[Link]
It really is per-device. Each device's version of the SCSI command set has some variation, and on some you need to do things which on others you do not. The filter needs to be modifiable accordingly.
Posted Aug 3, 2006 20:17 UTC (Thu)
by wilck (guest, #29844)
[Link]
Well... what do you do if you can't figure out how to burn CDs as ordinary user? I, for one, do it as root. Or install cdrecord suid root. My guess is that most people would do it that way. Just bypass the SCSI command filter. You know that it's bad, but being unable to burn is even worse. That's the kind of thing people do if overly repressive security measures get in their way.
If you have a large server with lots of users you can't trust, it'd be a good idea to disable write access to the CD drive for ordinary users altogether.
Or restrict writing to those users you can trust. Or use a security framework such as SELinux to allow only some trusted applications (such as cdrecord) to write to the device.
I really see no need for a kernel-based filter. If CD burning is really the only real world application in which non-priviledged users need to send special SCSI commands, as the joey's comment suggests, moving the cdrecord functionality into a kernel driver seems more approriate than filtering arbitrary commands.
Posted Aug 3, 2006 11:05 UTC (Thu)
by rwmj (subscriber, #5474)
[Link] (2 responses)
Sounds like Linus is right ...
Rich.
Posted Aug 3, 2006 13:38 UTC (Thu)
by abatters (✭ supporter ✭, #6932)
[Link] (1 responses)
Not really. SCSI devices are connected through HBAs (i.e. SCSI cards); the HBA has DMA access but the SCSI device itself does not. Rewriting the firmware of the SCSI device wouldn't grant arbirtary access to system memory; you would have to alter the firmware on the HBA or change the HBA driver to do that.
Posted Aug 6, 2006 9:27 UTC (Sun)
by addw (guest, #1771)
[Link]
Would not be easy to do this, but ....
Posted Aug 3, 2006 18:54 UTC (Thu)
by joey (guest, #328)
[Link]
cat foo.iso >/dev/cd_burn
Seems to me that device drivers exist to avoid exactly this kind of problem..
Posted Aug 3, 2006 20:38 UTC (Thu)
by ddaa (guest, #5338)
[Link] (2 responses)
That was probably the first time that our editor's famous deadpan humour actually made me laugh out loud and prevented me from reading on the article for a little while.
Thank you.
Posted Aug 3, 2006 22:47 UTC (Thu)
by roelofs (guest, #2599)
[Link] (1 responses)
Yes, the distinction between "music tracks" and "RMS-singing tracks" was elegant and pithy.
Greg
Posted Aug 3, 2006 23:31 UTC (Thu)
by sbergman27 (guest, #10767)
[Link]
http://www.gnu.org/music/free-software-song.ogg
I wonder how Barbra Streisand would have sung that?
Posted Aug 14, 2006 15:00 UTC (Mon)
by cortana (subscriber, #24596)
[Link]
Linus is right, as usual.SCSI command filtering
Its default state isn't to do nothing. By default, for example, you can't do MODE SELECT as a normal user. The reasoning seems good at face value; you can use it to e.g. set hard drive passwords. But for some devices, you have to be able to do that. Some CD drives, for example, can't be used to rip CDs without first issuing a MODE SELECT. So it's not as black and white as one would hope. Sometimes you don't want a user to be able to do something, and sometimes they have to be able to do it.SCSI command filtering
Linus is right, as usual.
They do it as root
Presumably if you can rewrite the firmware, then with a bit of effort you can create some firmware which will use DMA to overwrite arbitrary sections of memory - in other words, all your security has just gone out the window on any machine with local users and an attached CD/DVD drive.SCSI command filtering
> Presumably if you can rewrite the firmware, then with a bit of effort you can create some firmware which will use DMA to overwrite arbitrary sections of memorySCSI command filtering
But the modified firmware could return something different on a read than what is on the CD, so when the sysadmin thinks that he is loading some new program he is actually loading something else.SCSI command filtering
IANAKH, but doesn't this show that there is something fundamentally wrong with needing a userspace program that knows about different drive hardware, the scsi commands each needs etc and sends raw commands to the hardware? Why arn't they considering an abstraction layer? Fer instance:isn't something wrong with cdrecord then?
> Some of those commands could lead the drive to rewrite its firmware, catch fire, or replace music tracks with recordings of Richard Stallman singing.SCSI command filtering
That was probably the first time that our editor's famous deadpan humour actually made me laugh out loud and prevented me from reading on the article for a little while.
SCSI command filtering
In case anyone missed it:SCSI command filtering
So, I haven't been able to use cdrecord as a non-root user since 2.6.8.1 was released. I assumed that this was intended, and that everyone changed to running cdrecord as root. Is this not the case? Should I instead file a bug against the SCSI command filtering?SCSI command filtering