Date: 27 Jul 1998 11:50:29 -0400 From: Cory Kempf <ckempf@enigami.com> To: "Kenneth D. Merry" <ken@plutotech.com>, freebsd-scsi@FreeBSD.ORG Subject: Re: non-root pass, symlinks to pass fail Message-ID: <x7af5v2sze.fsf@singularity.enigami.com> In-Reply-To: "Kenneth D. Merry"'s message of "Mon, 27 Jul 1998 09:08:02 -0600 (MDT)" References: <199807271508.JAA24759@panzer.plutotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Kenneth" == Kenneth D Merry <ken@plutotech.com> writes: > Cory Kempf wrote... >> Why can't I open a pass device as a non-root user? >> >> > Probably because you're chmoding the wrong devices. >> >> Unfortunately, it didn't help: I chmod'd /dev/*pass* to 666, but >> cam_scsi_open() still fails with errno 13. >> >> FWIW, cdrecord -scanbus likewise fails, unless I am root. > What are the permissions on the transport layer devices? The > one used is /dev/rxpt0. If the CAM library can't open the transport > layer device, it can't figure out which passthrough device to open. All xpt devices are 640. chmodding them to 666 allows cdrecord -scanbus & find-scanner to work. Cool. Isn't this opening up a rather large security hole? I mean, by doing this, am I not effectively allowing full access to all my SCSI devices, including my hard disk via the xpt devices? FWIW, it seems that if any pass devices are not mode 666, cdrecord fails, but find-scanners works OK. As I see it, if I want a somewhat secure system, but still want the ability to let the user scan / burn CDs, At best, I can chmod the pass & xpt devices to 660, and make any programs (e.g. scanimage, find-scanners, saned, cdrecord, etc) sgid. Which is not really secure, especially as the programs in question were never designed to be suid/sgid. Can we do better? Ideally, I would like to set permissions on a per-device basis, and not allow access to the entire bus. In anycase, I am going to release what I have, with a README note for now, to get something out. But, I really would like to see a better answer -- or be told that the hole I see doesn't really exist :-) +C -- Thinking of purchasing RAM from the Chip Merchant? Please read this first: <http://www.enigami.com/~ckempf/chipmerchant.html>; Cory Kempf Macintosh / Unix Consulting & Software Development ckempf@enigami.com <http://www.enigami.com/~ckempf/>; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x7af5v2sze.fsf>