dd+user=trouble

[graudeejs]

For some reason, i just realized something ODD.
As i see it's major security risk, unless you use disk encryption, or disable this little thing...

It occurred to me, that regular user can use dd. This can be done physically/remotely if user has accoun/or can log on with ssh

By default FreeBSD allows any user to use dd.
User can copy disk, and save it to custom medium/net or whatever....
Later he can go home, and using his own version of FreeBSD mount image.... and now as root.
He will have access to everything..... therefore if / is unencrypted, he can try to brute gess passwords.....

Solution is simple:
a) Only allow dd to root/wheel
b) encrypt everything
c) make sure user can't access /dev



OK, someone might know this, but for me [i use freebsd at home], this was shock....

Anyone got comments?


P.S. and i was fallowing
http://www.bsdguides.org/guides/free...ity/harden.php
to harden my system



EDIT: i didn't do much testing, it's late, i will do more tomorrow....
just realized, that i'm not sure if ordinary user can read /dev/....
worked for me, cause i'm wheel
And sorry if this is just false alarm



EDIT2: coundn't sleep.... it's all good, /dev/... can't be read by user....
Admin, plz delete this, i can't

[TerryP]

An example from an OpenBSD 4.3 machine:

Code:

Terry@vectra-$ dd if=/dev/wd0d of=~/image bs=512
dd: /dev/wd0d: Permission denied
Terry@vectra-$

I would test on FreeBSD, but I'm not using that system atm.


Simple fact:

If they can gain access to the machine, they can probably steal your data -- who needs to use your systems dd, when they can use a live cd, external usb drive, and go to town with their own tools. You should also always think twice, what you allow people without uid 0 (root) to read.

[BSDfan666]

You can't entirely prevent a user from accessing /dev, it's an integral part of a Unix-like system... the users allocated pty/tty(4) device for example.

Access to raw devices is restricted via, permissions.. and of coarse, the securelevel(7).

The text of the page differs between the BSD derivatives, but the gist of it is a securelevel >= 1 disallows write access to raw devices.. or at least mounted raw devices under OpenBSD.

Besides that, the default file permissions on such devices are set to decent values.. for example:

Code:

 $ ls -lh /dev/rwd0? 
crw-r-----  1 root  operator    3,   0 Aug  3 19:08 /dev/rwd0a
crw-r-----  1 root  operator    3,   1 Aug  3 19:08 /dev/rwd0b
crw-r-----  1 root  operator    3,   2 Aug  3 19:08 /dev/rwd0c
crw-r-----  1 root  operator    3,   3 Aug  3 19:08 /dev/rwd0d
crw-r-----  1 root  operator    3,   4 Aug  3 19:08 /dev/rwd0e
crw-r-----  1 root  operator    3,   5 Aug  3 19:08 /dev/rwd0f
crw-r-----  1 root  operator    3,   6 Aug  3 19:08 /dev/rwd0g
crw-r-----  1 root  operator    3,   7 Aug  7 21:24 /dev/rwd0h
crw-r-----  1 root  operator    3,   8 Aug  3 19:08 /dev/rwd0i
crw-r-----  1 root  operator    3,   9 Aug  3 19:08 /dev/rwd0j
crw-r-----  1 root  operator    3,  10 Aug  3 19:08 /dev/rwd0k
crw-r-----  1 root  operator    3,  11 Aug  3 19:08 /dev/rwd0l
crw-r-----  1 root  operator    3,  12 Aug  3 19:08 /dev/rwd0m
crw-r-----  1 root  operator    3,  13 Aug  3 19:08 /dev/rwd0n
crw-r-----  1 root  operator    3,  14 Aug  3 19:08 /dev/rwd0o
crw-r-----  1 root  operator    3,  15 Aug  3 19:08 /dev/rwd0p

This means only root has write access, members of the operator group have read access.. all other users are disallowed.

I'm sure FreeBSD has similar permission settings..

[phoenix]

By default, on FreeBSD, only root and user in the operator group can read raw disk devices (/dev/ad*, /dev/da*, etc). Hence "normal" users (those not in the operator group) cannot use dd to clone your harddrive.

[graudeejs]

ye, sorry, i was half sleep, when this stupid idea came to my mind

i feel noobish