From owner-freebsd-scsi Sun Jul 26 19:52:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23780 for freebsd-scsi-outgoing; Sun, 26 Jul 1998 19:52:50 -0700 (PDT) (envelope-from owner-freebsd-scsi@FreeBSD.ORG) Received: from singularity.enigami.com (singularity.enigami.com [208.140.182.42]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23760 for ; Sun, 26 Jul 1998 19:52:47 -0700 (PDT) (envelope-from ckempf@singularity.enigami.com) Received: (from ckempf@localhost) by singularity.enigami.com (8.9.1/8.9.1) id WAA23064; Sun, 26 Jul 1998 22:51:14 -0400 (EDT) To: freebsd-scsi@FreeBSD.ORG, "B. Richardson" Subject: Re: non-root pass, symlinks to pass fail References: X-Copyright: Copyright (C) 1998 Cory Kempf. All Rights Reserved X-PGP-Fingerprint: 191E 2FB7 E27D 76C3 8E79 4D26 2B3B B20F 2A9C 1E1A X-PGP-Keyloc: ; finger ckempf@enigami.com From: Cory Kempf Date: 26 Jul 1998 22:51:14 -0400 In-Reply-To: "B. Richardson"'s message of "Sun, 26 Jul 1998 22:07:45 -0400 (EDT)" Message-ID: Lines: 46 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "B" == B Richardson writes: > On 26 Jul 1998, Cory Kempf wrote: >> If I attempt to use cam_scsi_open() on one of the /dev/pass devices >> as a non-root user, it failes with errno 13 (access). [...] >> As I chmod'd things to 666 when I first got the error. >> >> Why can't I open a pass device as a non-root user? > Could a non-root user hose your system via these if he/she had the > access you desire? At the moment, yes. At the moment, 'cause I am attempting to figure out why this is not working, and for debugging purposes, have opened all of my pass devices. Under normal circumstances, though, only certain devices (e.g. not the hard disk :-) ) would be open. For example, if one of those devices is a scanner, or a cd-r (which two of them happen to be), I really don't need restrict access to those devices to root, and in fact doing so would effectively eliminate any benefit of security, as any user wanting to scan an image would need to be root to do so. >> On what might be a related note, I created a symlink (i.e. ln -s) >> to a pass device. cam_scsi_open() refuses to open that either. >> Why? > Picture this. A user creates a symlink to /etc/spwd.db. Should said > user be able to set appropriate permissions on the link and then > update /etc/spwd.db? Of course not. But that was not my question. As root, with the pass device mode 666, cam_scsi_open() refuses to open the device. It would be much easier to use, say /dev/scanner or /dev/cdr rather than /dev/pass4. It also allows me to insulate scripts from changes to the pass devices (e.g. if I add a scsi device). +C -- Thinking of purchasing RAM from the Chip Merchant? Please read this first: Cory Kempf Macintosh / Unix Consulting & Software Development ckempf@enigami.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message