Date: Mon, 22 Feb 1999 02:49:59 +0100 From: "Karsten W. Rohrbach" <rohrbach@nacamar.net> To: "Kenneth D. Merry" <ken@plutotech.com> Cc: dwmalone@maths.tcd.ie, r3cgm@cdrom.com, freebsd-scsi@FreeBSD.ORG Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) Message-ID: <19990222024959.D12320@nacamar.net> In-Reply-To: <199902191758.KAA03342@panzer.plutotech.com>; from Kenneth D. Merry on Fri, Feb 19, 1999 at 10:58:45AM -0700 References: <19990219132746.A4754@nacamar.net> <199902191758.KAA03342@panzer.plutotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
so maybe someone is willing to "invent" a joe user safe system for
automagically chmoding this stuff kinda (okay please dont hurt me) windows
nt style ("fixing system permissions") in a way more transparent way.
it could serve as a kind of tripwire-lite for looking after suid/sgid
binaries, some kind of system security manager for the userland. this
would increase popularity in my opinion. freebsd installation and
everything gets easier and easier all the time, but running system
management is still limited to 'vi /etc/something' which, imho, keeps
freebsd on the second choice place for
internet-newbie-but-me-wants-no-windoze-server people ;-)
if you look at yast (suse linux) or the redhat tools, they are a nice
attempt but not really a choice for everyday use, so maybe the freebsd
community comes up with something better :)
/k
Kenneth D. Merry (ken@plutotech.com) @ Fri, Feb 19, 1999 at 10:58:45AM -0700:
> Karsten W. Rohrbach wrote...
> > definately, but also some of the "hook-devs" in /dev like xpt? for example
> > should be root.operator and mode 660 or root.wheel or whatever. if theres no
> > standardization in the next time, a lot of audio/multimedia packages will
> > grow wild with suid executables where we wont need/want them i guess - and
> > theres no harder pain in the ass than defect hardware and suid binaries.
>
> The xpt and pass devices are owned by root.operator, just like disk
> devices.
>
> They are quite intentionally chmoded 600 by default. The reason for that
> is that you can use the pass device at least to reformat hard disks and
> things like that, so it should default to being very secure, and sysadmins
> can selectively reduce the security if they want.
>
> For my own machines, I chmod the xpt and pass devices 660, and put myself
> in the operator group. So I can use camcontrol, tosha, etc., without having
> to su or make the binaries setuid.
>
> I can sympathize with the desire to make things easier for Joe User to use
> the xpt/pass devices, but I would rather not compromise security to do it.
>
> As far as I know, none of the applications that currently use the xpt/pass
> devices are installed setuid. So access policies are determined by how the
> system administrator chmods the files in /dev.
>
> > David Malone (dwmalone@maths.tcd.ie) @ Fri, Feb 19, 1999 at 12:18:51PM +0000:
> > > > > %ls -l tosha
> > > > > -rwsr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha
> > >
> > > Surely suid bin isn't going to be very useful to tosha?
> > > Shouldn't it be suid root or sgid operator or something?
> > >
>
> Argh!! I didn't see that! Christopher, that's your problem. The binary
> was setuid bin, but /dev/xpt* and /dev/pass* are owned by root. So setuid
> bin won't do you any good.
>
> Ken
> --
> Kenneth Merry
> ken@plutotech.com
--
"The path of excess leads to the tower of wisdom." -- W. Blake
http://www.nacamar.de - http://www.nacamar.net - http://www.webmonster.de
http://www.apache.de - http://www.quakeforum.de - finger rohrbach@nacamar.net
PGP Key fingerprint = F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990222024959.D12320>