Date: 26 Jul 1998 22:51:14 -0400 From: Cory Kempf <ckempf@enigami.com> To: freebsd-scsi@FreeBSD.ORG, "B. Richardson" <rabtter@aye.net> Subject: Re: non-root pass, symlinks to pass fail Message-ID: <x7oguc6m71.fsf@singularity.enigami.com> In-Reply-To: "B. Richardson"'s message of "Sun, 26 Jul 1998 22:07:45 -0400 (EDT)" References: <Pine.SGI.3.95.980726214851.27065A-100000@orion.aye.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"B" == B Richardson <rabtter@aye.net> writes: > On 26 Jul 1998, Cory Kempf wrote: >> If I attempt to use cam_scsi_open() on one of the /dev/pass devices >> as a non-root user, it failes with errno 13 (access). [...] >> As I chmod'd things to 666 when I first got the error. >> >> Why can't I open a pass device as a non-root user? > Could a non-root user hose your system via these if he/she had the > access you desire? At the moment, yes. At the moment, 'cause I am attempting to figure out why this is not working, and for debugging purposes, have opened all of my pass devices. Under normal circumstances, though, only certain devices (e.g. not the hard disk :-) ) would be open. For example, if one of those devices is a scanner, or a cd-r (which two of them happen to be), I really don't need restrict access to those devices to root, and in fact doing so would effectively eliminate any benefit of security, as any user wanting to scan an image would need to be root to do so. >> On what might be a related note, I created a symlink (i.e. ln -s) >> to a pass device. cam_scsi_open() refuses to open that either. >> Why? > Picture this. A user creates a symlink to /etc/spwd.db. Should said > user be able to set appropriate permissions on the link and then > update /etc/spwd.db? Of course not. But that was not my question. As root, with the pass device mode 666, cam_scsi_open() refuses to open the device. It would be much easier to use, say /dev/scanner or /dev/cdr rather than /dev/pass4. It also allows me to insulate scripts from changes to the pass devices (e.g. if I add a scsi device). +C -- Thinking of purchasing RAM from the Chip Merchant? Please read this first: <http://www.enigami.com/~ckempf/chipmerchant.html> Cory Kempf Macintosh / Unix Consulting & Software Development ckempf@enigami.com <http://www.enigami.com/~ckempf/> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x7oguc6m71.fsf>