Date: Fri, 19 Feb 1999 10:58:45 -0700 (MST) From: "Kenneth D. Merry" <ken@plutotech.com> To: rohrbach@nacamar.net Cc: dwmalone@maths.tcd.ie, ken@plutotech.com, r3cgm@cdrom.com, freebsd-scsi@FreeBSD.ORG Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) Message-ID: <199902191758.KAA03342@panzer.plutotech.com> In-Reply-To: <19990219132746.A4754@nacamar.net> from "Karsten W. Rohrbach" at "Feb 19, 1999 1:27:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Karsten W. Rohrbach wrote... > definately, but also some of the "hook-devs" in /dev like xpt? for example > should be root.operator and mode 660 or root.wheel or whatever. if theres no > standardization in the next time, a lot of audio/multimedia packages will > grow wild with suid executables where we wont need/want them i guess - and > theres no harder pain in the ass than defect hardware and suid binaries. The xpt and pass devices are owned by root.operator, just like disk devices. They are quite intentionally chmoded 600 by default. The reason for that is that you can use the pass device at least to reformat hard disks and things like that, so it should default to being very secure, and sysadmins can selectively reduce the security if they want. For my own machines, I chmod the xpt and pass devices 660, and put myself in the operator group. So I can use camcontrol, tosha, etc., without having to su or make the binaries setuid. I can sympathize with the desire to make things easier for Joe User to use the xpt/pass devices, but I would rather not compromise security to do it. As far as I know, none of the applications that currently use the xpt/pass devices are installed setuid. So access policies are determined by how the system administrator chmods the files in /dev. > David Malone (dwmalone@maths.tcd.ie) @ Fri, Feb 19, 1999 at 12:18:51PM +0000: > > > > %ls -l tosha > > > > -rwsr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha > > > > Surely suid bin isn't going to be very useful to tosha? > > Shouldn't it be suid root or sgid operator or something? > > Argh!! I didn't see that! Christopher, that's your problem. The binary was setuid bin, but /dev/xpt* and /dev/pass* are owned by root. So setuid bin won't do you any good. Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902191758.KAA03342>