Date: Sun, 26 Jul 1998 23:50:02 -0400 (EDT) From: "B. Richardson" <rabtter@aye.net> To: Cory Kempf <ckempf@enigami.com> Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: non-root pass, symlinks to pass fail Message-ID: <Pine.SGI.3.95.980726234308.9142A-100000@orion.aye.net> In-Reply-To: <x7oguc6m71.fsf@singularity.enigami.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Jul 1998, Cory Kempf wrote: > "B" == B Richardson <rabtter@aye.net> writes: > > On 26 Jul 1998, Cory Kempf wrote: > > >> If I attempt to use cam_scsi_open() on one of the /dev/pass devices > >> as a non-root user, it failes with errno 13 (access). > [...] > >> As I chmod'd things to 666 when I first got the error. > >> > >> Why can't I open a pass device as a non-root user? > > > Could a non-root user hose your system via these if he/she had the > > access you desire? > > At the moment, yes. At the moment, 'cause I am attempting to figure > out why this is not working, and for debugging purposes, have opened > all of my pass devices. Under normal circumstances, though, only > certain devices (e.g. not the hard disk :-) ) would be open. > > For example, if one of those devices is a scanner, or a cd-r (which > two of them happen to be), I really don't need restrict access to > those devices to root, and in fact doing so would effectively > eliminate any benefit of security, as any user wanting to scan an > image would need to be root to do so. Several flavors of Unix still require software to be setuid to access pass thru type devices. Maybe a developer will volunteer more details about FreeBSD. > > >> On what might be a related note, I created a symlink (i.e. ln -s) > >> to a pass device. cam_scsi_open() refuses to open that either. > >> Why? > > > Picture this. A user creates a symlink to /etc/spwd.db. Should said > > user be able to set appropriate permissions on the link and then > > update /etc/spwd.db? > > Of course not. But that was not my question. As root, with the pass > device mode 666, cam_scsi_open() refuses to open the device. > The original snag is why the symlink doesn't work either. In the interim you could chown the owner of the app to root, and do a chmod +s. > It would be much easier to use, say /dev/scanner or /dev/cdr rather > than /dev/pass4. It also allows me to insulate scripts from changes > to the pass devices (e.g. if I add a scsi device). > > +C > -- > Thinking of purchasing RAM from the Chip Merchant? > Please read this first: <http://www.enigami.com/~ckempf/chipmerchant.html> > > Cory Kempf Macintosh / Unix Consulting & Software Development > ckempf@enigami.com <http://www.enigami.com/~ckempf/> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.3.95.980726234308.9142A-100000>