Date: Fri, 19 Feb 1999 16:13:36 -0700 (MST) From: "Kenneth D. Merry" <ken@plutotech.com> To: r3cgm@cdrom.com (Christopher G. Mann) Cc: freebsd-scsi@FreeBSD.ORG Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) Message-ID: <199902192313.QAA05091@panzer.plutotech.com> In-Reply-To: <19990219100154.I7822@cdrom.com> from "Christopher G. Mann" at "Feb 19, 1999 10: 1:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Christopher G. Mann wrote... > : definately, but also some of the "hook-devs" in /dev like xpt? for example > : should be root.operator and mode 660 or root.wheel or whatever. if theres no > : standardization in the next time, a lot of audio/multimedia packages will > : grow wild with suid executables where we wont need/want them i guess - and > : theres no harder pain in the ass than defect hardware and suid binaries. > : > %ls -alF tosha > -rwxr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha* > > %chown bin:operator tosha > %chmod 2755 tosha > > %ls -alF tosha > -rwxr-sr-x 1 bin operator 21304 Feb 18 03:07 tosha* > %exit > > [beacon : r3cgm] ~ - fgrep operator /etc/group > operator:*:5:root,r3cgm Having tosha setgid is not necessary, since you're already in the operator group. In fact, it could represent a security risk if tosha is somehow exploitable. > [beacon : r3cgm] /usr/local/bin - ls -l /dev/xpt* /dev/pass* > crw-rw---- 1 root operator 31, 0 Feb 16 16:56 /dev/pass0 > crw-rw---- 1 root operator 31, 1 Feb 16 16:56 /dev/pass1 > crw-rw---- 1 root operator 31, 2 Feb 16 16:56 /dev/pass2 > crw-rw---- 1 root operator 31, 3 Feb 16 16:56 /dev/pass3 > crw-rw---- 1 root operator 104, 0 Feb 16 16:56 /dev/xpt0 > crw-rw---- 1 root operator 104, 1 Feb 16 16:56 /dev/xpt1 > > [beacon : r3cgm] ~ - tosha -i > Device: /dev/cd0c -- "PIONEER" "CD-ROM DR-U16S" "1.01" [ ... ] > Yay! I think we're good to go now. I'll email the /port maintainer > for tosha and see if I get the Makefile changed a bit. I would recommend against changing things. The tosha port works as-is, without modification. The default security policy should be: - binaries are not setuid or setgid - devices are chmoded 600 System administrators can then use group permissions on device nodes to control access to certain SCSI devices, or all SCSI devices. Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902192313.QAA05091>