Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Feb 1999 16:13:36 -0700 (MST)
From:      "Kenneth D. Merry" <ken@plutotech.com>
To:        r3cgm@cdrom.com (Christopher G. Mann)
Cc:        freebsd-scsi@FreeBSD.ORG
Subject:   Re: Unusual CAM Error w/FreeBSD 3.1 (tosha)
Message-ID:  <199902192313.QAA05091@panzer.plutotech.com>
In-Reply-To: <19990219100154.I7822@cdrom.com> from "Christopher G. Mann" at "Feb 19, 1999 10: 1:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
Christopher G. Mann wrote...
> : definately, but also some of the "hook-devs" in /dev like xpt? for example
> : should be root.operator and mode 660 or root.wheel or whatever. if theres no
> : standardization in the next time, a lot of audio/multimedia packages will
> : grow wild with suid executables where we wont need/want them i guess - and
> : theres no harder pain in the ass than defect hardware and suid binaries.
> : 
> %ls -alF tosha
> -rwxr-xr-x  1 bin  bin  21304 Feb 18 03:07 tosha*
> 
> %chown bin:operator tosha
> %chmod 2755 tosha
> 
> %ls -alF tosha
> -rwxr-sr-x  1 bin  operator  21304 Feb 18 03:07 tosha*
> %exit
> 
> [beacon : r3cgm] ~ - fgrep operator /etc/group
> operator:*:5:root,r3cgm

Having tosha setgid is not necessary, since you're already in the operator
group.  In fact, it could represent a security risk if tosha is somehow
exploitable.

> [beacon : r3cgm] /usr/local/bin - ls -l /dev/xpt* /dev/pass*
> crw-rw----  1 root  operator   31,   0 Feb 16 16:56 /dev/pass0
> crw-rw----  1 root  operator   31,   1 Feb 16 16:56 /dev/pass1
> crw-rw----  1 root  operator   31,   2 Feb 16 16:56 /dev/pass2
> crw-rw----  1 root  operator   31,   3 Feb 16 16:56 /dev/pass3
> crw-rw----  1 root  operator  104,   0 Feb 16 16:56 /dev/xpt0
> crw-rw----  1 root  operator  104,   1 Feb 16 16:56 /dev/xpt1
> 
> [beacon : r3cgm] ~ - tosha -i
> Device: /dev/cd0c -- "PIONEER" "CD-ROM DR-U16S" "1.01"

[ ... ]

> Yay!  I think we're good to go now.  I'll email the /port maintainer
> for tosha and see if I get the Makefile changed a bit.

I would recommend against changing things.  The tosha port works as-is,
without modification.

The default security policy should be:

 - binaries are not setuid or setgid
 - devices are chmoded 600

System administrators can then use group permissions on device nodes to
control access to certain SCSI devices, or all SCSI devices.

Ken
-- 
Kenneth Merry
ken@plutotech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-scsi" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902192313.QAA05091>