Risks Associated with Device Use

For one example of the security risks associated with the use of various I/O devices, consider how cartridge devices are typically used. Often several users share a single tape drive, which may be located in an office or lab away from where an individual user's own machine is located. This means that, after he or she loads a tape into the tape drive, some length of time may elapse before the user can return to the machine to invoke the command that reads or writes data to or from the tape. Then another time lapse occurs before the user is able to return and take the tape out of the drive. Because tape devices are typically accessible to all users, during the time when the tape is unattended a unauthorized user could access or overwrite data on the tape.

The device allocation mechanism makes it possible to assign certain devices to one user at a time, so that the device can only be accessed by that user while it is assigned to that user's name.

The device allocation mechanism ensures the following for tape devices and provides related security services for other allocatable devices:

• Prevents simultaneous access to a device.
• Prevents a user from reading a tape just written to by another user before the first user has removed the tape from the tape drive.
• Prevents a user from gleaning any information from the device's or the driver's internal storage after another user is done with the device.

Components of the Device Allocation Mechanism

The components of the allocation mechanism that you must understand in order to manage device allocation are:

• the allocate(1M), deallocate(1M), dminfo(1M), and list_devices(1M) commands,
• the device_allocate(4) file,
• the device_maps(4) file, and
• the lock files that must exist for each allocatable device in /etc/security/dev
• the changed attributes of the device special files that are associated with each allocatable device,
• device clean scripts for each allocatable device

How any user invokes the allocate(1M), deallocate(1M), dminfo(1M) and list_devices(1M) commands is described in the section on using allocate. All of the options and other descriptions are defined in the man pages.

The device_allocate(4) file, the device_maps(4) file, and the lock files are specific to each machine. The configuration files are not administered as NIS databases because tape drives, floppy drives, and the printers, are all connected to specific machines.

Using the Device Allocation Utilities

This section describes what the administrator can do with the options to allocate, deallocate, and list_devices that are usable only by the root. The commands are detailed on their respective man pages

allocate(1M)

-F device_special_filename Reallocates the specified device. This option is often used with the -U option to reallocate the specified device to the specified user. Without the -U option, the device is allocated to root.

-U username Causes the device to be allocated to the user specified rather than to the current user. This option allows you to allocate a device for another user while you are root, without having to assume that user's identity.

deallocate(1M)

-F device_special_filename Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. When a user forgets to deallocate a tape drive, you can force deallocation using the -F option while you are root.

-I

Forces deallocation of all allocatable devices. This option should only be used at system initialization.

list_devices(1M)

The administrator can run the list_devices to get a listing of all the device special files that are associated with any device listed in the device_maps file.

-U username

List the devices that are allocatable or allocated to the user ID associated with the specified username. This allows you to check which devices are allocatable or allocated to another user while you are root.

The Allocate Error State

The allocate error state is mentioned in the man pages for the allocate components. An allocatable device is in the allocate error state if it is owned by user bin and group bin with a device special file mode of 0100. If a user wishes to allocate a device that is in the allocate error state, the administrator should try to force the deallocation of the device, using the deallocate

command with the -F option, or use allocate -U to assign it to the user, then investigate any error messages that display. When the problems with the device are corrected, the administrator must rerun the deallocate -F or allocate -F commands to clear the allocate error state from the device.

The device_maps File

You can look at the device_maps(4) file to find out device names, device types, and the device special files that are associated with each allocatable device. Device maps are created by the system administrator when setting up device allocation. A rudimentary device_maps(4) file is created by bsmconv(1M) when the BSM is enabled. This initial map file should be used only as a starting point. This system administrator is expected to augment and customize device_maps(4) for the individual site.

This file defines the device-special file mappings for each device, which in many cases is not intuitive. This file allows various programs to discover which device special files map to which devices. You can use the dminfo(1M) command, for example, to get the device name, the device type and the device special files to specify when setting up an allocatable device; dminfo(1M) uses the device_maps(4) file.

Each device is represented by a one line entry of the form:

device-name : device-type : device-list

Lines in device_maps(4) can end with a '\' to continue an entry on the next line. Comments may also be included. A '#' makes a comment of all further text until the next NEWLINE not immediately preceded by a '\'.

Leading and trailing blanks are allowed in any of the fields.

device-name

The name of the device, for example st0, fd0, or audio. The device name specified here must correspond to the name of the lock-file used in the /etc/security/dev directory.

device-type

The generic device type (the name for the class of devices, such as st, fd, audio). The device-type logically groups related devices.

device-list

A list of the device special files associated with the physical device. The device-list must contain ALL of the special files that allow access to a particular device. If the list is incomplete, a malevolent user may still be able to obtain or modify private information. Also note that as in the example below, either the real device files located under /devices or the symbolic links in /dev, provided for binary compatibility, are valid entries for the device-list field.

For an example of entries for SCSI tape st0 and floppy disk fd0 in a device_maps file, see the following screen.

fd0:\ fd:\ /dev/fd0 /dev/fd0a /dev/fd0b /dev/fd0c /dev/rfd0 /dev/rfd0a /dev/rfd0b /dev/rfd0c:\ . . . st0:\ st:\ /dev/rst0 /dev/rst8 /dev/rst16 /dev/rst24 /dev/nrst0 /dev/nrst8 /dev/nrst16 /dev/nrst24:\

The device_allocate File

The administrator may modify the device_allocate file to change devices from allocatable to non-allocatable, or to add new devices. Figure 5-1 shows a sample device_allocate file.

st0;st;;;;/etc/security/lib/st_clean fd0;fd;;;;/etc/security/lib/fd_clean sr0;sr;;;;/etc/security/lib/sr_clean audio;audio;;;*;/etc/security/lib/audio_clean

Figure 5-1 Sample device_allocate File

The administrator defines which devices should be allocatable during initial configuration of the Basic Security Module. You may decide to accept the default devices and their defined characteristics, as shown in Figure 5-1. Whenever you add a device to any machine after the system is up and running, you must decide whether to make the new device allocatable.

The entries for devices in the device_allocate file may be modified by the administrator after installation. Any device that needs to be allocated before use must be defined in the device_allocate file on each machine. Currently cartridge tape drives, floppy disk drives, CD-ROM devices, and audio chips are considered allocatable and have device clean scripts.

---

Note - If you add an Xylogics tape drive or an Archive tape drive, they can also use the st_clean script supplied for SCSI devices. Other devices that you could make allocatable are modems, terminals, graphics tablets and the like, but you need to create your own device clean scripts for such devices, and the script must fulfill object reuse requirements for that type of device.

---

An entry in the device_allocate file does not mean the device is allocatable, unless the entry specifically states the device is allocatable. Notice in Figure 5-1 an asterisk in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable, that is, the system administrator does not require a user to allocate the device before it is used nor to deallocate it afterwards. Any other string placed in this field indicates that the device is allocatable.

In the device_allocate file, represent each device by a one line entry of the form:

device-name; device-type ; reserved ; reserved ; alloc ; device-clean

For example, the following line shows the entry for device name st0:

st0;st;;;;;/etc/security/lib/st_clean

Lines in device_allocate(4) can end with a '\' to continue an entry on the next line. Comments may also be included. A '#' makes a comment of all further text until the next NEWLINE not immediately preceded by a '\'. Leading and trailing blanks are allowed in any of the fields.

The following paragraphs describe each field in the device_allocate file in detail.

device-name

Specify the name of the device, for example st0, fd0, or sr0. When making a new allocatable device, look up the device-name from the device-name field in the device_maps file, or use the dminfo(1M) command. (The name is also the DAC file name for the device.)

device-type

Specify the generic device type (the name for the class of devices, such as st, fd, and sr). This field groups related devices. When making a new allocatable device, look up the device-type from the device-type field in the device_maps file, or use the dminfo(1M) command.

reserved

These fields are reserved for future use.

alloc

Specify whether or not the device is allocatable. An asterisk in this field indicates that the device is NOT allocatable. Any other string, or an empty field, indicates that the device IS allocatable.

device-clean

Supply the pathname of a program to be invoked for special handling, such as cleanup and object reuse protection during the allocation process. The device clean program is run any time the device is acted on by deallocate(1M), such as when a device is forcibly deallocated with deallocate -F.

Device Clean Scripts

The device clean scripts address the security requirement that all usable data is purged from a physical device before reuse. By default, cartridge tape drives, floppy disk drives, CD-ROM devices, and audio devices require device clean scripts, which are provided. This section describes what the device clean scripts do.

Object Reuse

Device allocation satisfies part of the object reuse requirement. The device clean scripts make sure that data left on a device by one user is cleared before the device is allocatable by another user.

Device Clean Script for Tapes

The three supported tape devices and the device_clean script for each are shown in Table 5-1.

Table 5-1

Tape Device Type	Device Clean Script
SCSI 1/4 inch tape	st_clean(1)
Archive 1/4 inch tape	st_clean(1)
Open reel 1/2 inch tape	st_clean(1)

The script uses the rewoffl option to mt(1) to affect the device clean-up. If the script runs during system boot, it queries the device to see if the device is on line and has media in it.

1/4 inch tape devices that have media remaining are placed in the allocate error state to force the administrator to manually clean up the device.

During the normal system operation, when allocate or deallocate is executed in the interactive mode, the user is prompted to remove the media from the device being deallocated. The script pauses until the media is removed from the device.

Device Clean Scripts for Floppy Disks and CD-ROM

The device_clean scripts for the floppy disk drives and CD-ROM devices are shown in Table 5-2.

Table 5-2

Disk Device Type	Device Clean Script
floppy	fd_clean(1)
CD-ROM	sr_clean(1)

The scripts use the eject(1) command to remove the media from the drive. If eject(1) fails, the device is placed in the allocate error state.

Device Clean Script for Audio

The audio device is cleaned up with the audio_clean script. The script performs an AUDIO_DRAIN ioctl system call to flush the device, and then an AUDIO_SETINFO ioctl system call to reset the device configuration to default. In addition, the script retrieves the audio chip registers using the AUDIOGETREG ioctl system call. Any registers deviating from default are reset using the AUDIOSETREG ioctl system call.

Writing New Device Clean Scripts

If you add more allocatable devices to the system, you might need to create your own device clean scripts. The deallocate command passes a parameter to the device clean scripts. The parameter, shown here, is a string that contains the device-name (see the device_allocate(4) man page):

st_clean -[I|F|S] device_name

Device clean scripts must return 0 for success, and greater than 0 for failure. The option letters -I, -F, and -S help the script determine its running mode.

-I is needed during system boot only. All output must go to the system console. Failure or inability to forcibly eject the media must put the device in the allocate error state.

-F is for forced clean up. This option is interactive and assumes that the user is there to respond to prompts. A script with this option must attempt to complete the clean up if one part of the clean up fails.

-S is for standard clean up. This option is interactive and assumes that the user is there to respond to prompts.

Setting Up Lock Files

The lock files are zero-length files created in /etc/security/dev, one for each allocatable device.

If no lock file exists for an allocatable device, the device cannot be allocated, and no one can access the device.

· To set up lock files for a device to be made allocatable

1. Use the dminfo(1M) command to get the device name for the device from its entry in the device_maps file.

   See "The device_maps File" on page 62 and the dminfo(1M) and device_maps(4) man pages. For example, the device name for device type "st" is "st0." Use the device name as the name of the lock file.

2. Use the touch(1) command to create an empty lock file for the device, using the device name.

untouchable# cd /etc/security/dev untouchable# touch device_name untouchable# chmod 600 device_name untouchable# chown bin device_name untouchable# chgrp bin device_name

Example: How the Allocate Mechanism Works

This section shows an example of how the allocate mechanism works.

The allocate(1M) command first checks for the presence of a lock file under the device name for the specified device in the /etc/security/dev directory. If the file is owned by allocate, then the ownership of the lock file is changed to the name of the user entering the allocate command.

The allocate command then checks for an entry for the device in the device_allocate file, and checks whether the entry shows the device as allocatable.

The first listing in the screen example below shows that a lock file exists with owner bin, group bin, and mode 600 for the st0 device in /etc/security/dev. The second listing shows that the associated device special files are set up properly, with owner bin, group bin, and mode 000:

untouchable% ls -lg /etc/security/dev/st0 -rw------- 1 bin bin 0 Dec 6 15:21 /etc/security/dev/st0 untouchable% ls -lg /devices/sbus@1,f8000000/esp@0,800000 c--------- 1 bin bin 18, 4 May 12 13:11 st@4,0: c--------- 1 bin bin 18, 20 May 12 13:11 st@4,0:b c--------- 1 bin bin 18, 28 May 12 13:11 st@4,0:bn c--------- 1 bin bin 18, 12 May 12 13:11 st@4,0:c . . . c--------- 1 bin bin 18, 0 May 12 13:11 st@4,0:u c--------- 1 bin bin 18, 16 May 12 13:11 st@4,0:ub c--------- 1 bin bin 18, 24 May 12 13:11 st@4,0:ubn c--------- 1 bin bin 18, 8 May 12 13:11 st@4,0:un

In the following screen, user vanessa allocates device st0.

untouchable% whoami vanessa untouchable% allocate st0

When the user vanessa enters the allocate command to allocate the tape st0, allocate first checks for the existence of an /etc/security/dev/st0 file. If no lock file existed or if the lock file was owned by another user than allocate, then the device would not be allocatable by vanessa.

If it finds the lock file for the device with the correct ownership and permissions, the allocate command then checks to make sure the device has an entry in the device_allocate file and that the entry specifies that the device is allocatable.

In this example, the default device_allocate entry for the st0 device specifies that the device is allocatable. Because the allocate command finds that all the above conditions are met the device is allocated to vanessa.

The allocate command changes the ownership and permissions of the device special files associated with the device in the /dev directory. To allocate the st0 device to vanessa, the mode on its associated device special files is changed to 600 and the owner is changed to vanessa.

The allocate command also changes the ownership of the lock file associated with the device in the /etc/security/dev directory. To allocate the st0 device to vanessa, the owner of /etc/security/dev/st0 is changed to vanessa.

After the user vanessa executes the allocate command using the device name st0, the following screen example shows the owner of /etc/security/dev is changed to vanessa and the owner of the associated device special files is now vanessa also, and that vanessa now has permission to read and write the files.

untouchable% whoami vanessa untouchable% allocate st0 untouchable% ls -lg /etc/security/dev/st0 -rw------- 1 vanessa staff 0 Dec 6 15:21 /etc/security/dev/st0 untouchable% ls -la /devices/sbus@1,f8000000/esp@0,800000 . . . crw------- 1 vanessa 18, 4 May 12 13:11 st@4,0: crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:b crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:bn crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:c . . . crw------- 1 vanessa 18, 4 May 12 13:11 st@4,0:u crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:ub crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:ubn crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:un

Managing and Adding Devices

The procedures in this section show how to manage devices and how to add devices.

· To manage devices

1. Find out which devices are listed in the device_allocate file and which devices can be made allocatable

2. Define which devices, if any, should be made allocatable

3. Decide which normal users, if any, should be allowed to allocate devices.

4. Edit the device_allocate file and add the new device.

· To add a new allocatable device

1. Create an entry for any new allocatable device on the machine in the

   device_allocate file. How to do this is described under "The device_allocate File" on page 63.

2. Create an empty lock file for each allocatable device in the

   /etc/security/dev directory. How to do this is described under "Setting Up Lock Files" on page 68.

3. Create a device clean script if needed for each new device

   If you add a Xylogics or an Archive tape drive, you can use the st_clean script; otherwise, create your own. How to create a device handling script is described under "Device Clean Scripts" on page 65.

4. Make all device special files for the device to be owned by user bin group bin and at mode 000.

You may run the dminfo(1M) command to get a listing from the device_maps(4) file of all the device special files that are associated with the device you are making allocatable.

Using Device Allocations

The procedures and commands in this section show how to manage devices and how to add devices. The device allocation and deallocation commands are entered from the command line in a Command Tool or Shell Tool window:

• allocate(1M) assigns a device to a user. You can specify the device in either of the two ways shown in Table 5-3:

Table 5-3 allocate

device_name	Allocate the device that matches the device name.
-g device_type	Allocate the device that matches the device group type.

• deallocate(1M) releases a previously allocated device.
• list_devices(1M) allows you to see a list of all allocatable devices, devices currently allocated, and allocatable devices not currently allocated.

  The list_devices(1M) command requires one of the three options shown in Table 5-4:

Table 5-4 list_devices

-l	List all allocatable devices or information about the device.
-n	List devices not currently allocated or information about the device.
-u	List devices currently allocated or information about the device.

Entering list_devices -l shows you a list of all allocatable devices.

· To Allocate a Device

* From a Command Tool or a shelltool, use the allocate(1M) command with a device specified by name, as in the example, or by type, with -g switch.

sar1% allocate st0

If the command cannot allocate the device, an error message displays in the console window. A list of all error messages appears in the allocate(1M) reference manual page.

· To Deallocate a Device

* From a Command Tool or a shelltool, deallocate a tape drive by using the

deallocate(1M)</> command followed by the device file name:

sar1% deallocate st0

Deallocation allows other users to allocate the device when you are finished.