From owner-freebsd-scsi Fri Feb 19 9:59:56 1999 Delivered-To: freebsd-scsi@freebsd.org Received: from panzer.plutotech.com (panzer.plutotech.com [206.168.67.125]) by hub.freebsd.org (Postfix) with ESMTP id 98CD111628 for ; Fri, 19 Feb 1999 09:59:49 -0800 (PST) (envelope-from ken@panzer.plutotech.com) Received: (from ken@localhost) by panzer.plutotech.com (8.9.2/8.8.5) id KAA03342; Fri, 19 Feb 1999 10:58:45 -0700 (MST) From: "Kenneth D. Merry" Message-Id: <199902191758.KAA03342@panzer.plutotech.com> Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) In-Reply-To: <19990219132746.A4754@nacamar.net> from "Karsten W. Rohrbach" at "Feb 19, 1999 1:27:46 pm" To: rohrbach@nacamar.net Date: Fri, 19 Feb 1999 10:58:45 -0700 (MST) Cc: dwmalone@maths.tcd.ie, ken@plutotech.com, r3cgm@cdrom.com, freebsd-scsi@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Karsten W. Rohrbach wrote... > definately, but also some of the "hook-devs" in /dev like xpt? for example > should be root.operator and mode 660 or root.wheel or whatever. if theres no > standardization in the next time, a lot of audio/multimedia packages will > grow wild with suid executables where we wont need/want them i guess - and > theres no harder pain in the ass than defect hardware and suid binaries. The xpt and pass devices are owned by root.operator, just like disk devices. They are quite intentionally chmoded 600 by default. The reason for that is that you can use the pass device at least to reformat hard disks and things like that, so it should default to being very secure, and sysadmins can selectively reduce the security if they want. For my own machines, I chmod the xpt and pass devices 660, and put myself in the operator group. So I can use camcontrol, tosha, etc., without having to su or make the binaries setuid. I can sympathize with the desire to make things easier for Joe User to use the xpt/pass devices, but I would rather not compromise security to do it. As far as I know, none of the applications that currently use the xpt/pass devices are installed setuid. So access policies are determined by how the system administrator chmods the files in /dev. > David Malone (dwmalone@maths.tcd.ie) @ Fri, Feb 19, 1999 at 12:18:51PM +0000: > > > > %ls -l tosha > > > > -rwsr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha > > > > Surely suid bin isn't going to be very useful to tosha? > > Shouldn't it be suid root or sgid operator or something? > > Argh!! I didn't see that! Christopher, that's your problem. The binary was setuid bin, but /dev/xpt* and /dev/pass* are owned by root. So setuid bin won't do you any good. Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message