Date: Sat, 20 Apr 2002 22:56:42 -0500 From: "Craig Boston" <craig@gjgth.gank.org> To: <current@freebsd.org> Subject: Re: Adding a 'bpf' group for /dev/bpf* Message-ID: <014601c1e8e8$8defe350$5f45a8c0@auir.gank.org> References: <20020420151152.E76898@blossom.cjclark.org> <200204202227.g3KMRIJ39147@orthanc.ab.ca> <20020420204245.F76898@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote:
> These are actually very different in that they are set{u,g}id commands
> (well, ps(1) is not set{u,g}id anymore and is root:wheel owned). The
> sniffing tools we've been discussing, and pretty much all of the ones
> I've used, tcpdump(1), snort(8), nmap(1), etc., are not. When
> tcpdump(1) or one of these ports is installed, there is no reason to
> give it any special group ownership. The thing that determines whether
> someone can sniff is the {u,g}id of the user executing the
> command. The port's Makefile doesn't need to know anything about your
> /etc/group; it just installs the file -r-xr-x-r-x root:wheel. The
> local administrator simply needs to execute the simple commands I put
> in my last mail to give a group sniffing powers. The files'
> permissions and ownership are never changed.
Since -current by default uses devfs, is there a standard way to make the
ownership/permissions of device nodes "sticky" so that they persist across
boots? Or should we just put the appropriate commands in rc.local ?
Besides bpf, this would be useful, for example, for people who want to
change permissions on cd-rom devices to 644 so that non-root users can make
iso images (or give a special group cd burner rights).
Craig
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014601c1e8e8$8defe350$5f45a8c0>