From owner-freebsd-scsi Fri Feb 19 15:13:43 1999 Delivered-To: freebsd-scsi@freebsd.org Received: from panzer.plutotech.com (panzer.plutotech.com [206.168.67.125]) by hub.freebsd.org (Postfix) with ESMTP id 88AAE11412 for ; Fri, 19 Feb 1999 15:13:40 -0800 (PST) (envelope-from ken@panzer.plutotech.com) Received: (from ken@localhost) by panzer.plutotech.com (8.9.2/8.8.5) id QAA05091; Fri, 19 Feb 1999 16:13:36 -0700 (MST) From: "Kenneth D. Merry" Message-Id: <199902192313.QAA05091@panzer.plutotech.com> Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) In-Reply-To: <19990219100154.I7822@cdrom.com> from "Christopher G. Mann" at "Feb 19, 1999 10: 1:54 am" To: r3cgm@cdrom.com (Christopher G. Mann) Date: Fri, 19 Feb 1999 16:13:36 -0700 (MST) Cc: freebsd-scsi@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher G. Mann wrote... > : definately, but also some of the "hook-devs" in /dev like xpt? for example > : should be root.operator and mode 660 or root.wheel or whatever. if theres no > : standardization in the next time, a lot of audio/multimedia packages will > : grow wild with suid executables where we wont need/want them i guess - and > : theres no harder pain in the ass than defect hardware and suid binaries. > : > %ls -alF tosha > -rwxr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha* > > %chown bin:operator tosha > %chmod 2755 tosha > > %ls -alF tosha > -rwxr-sr-x 1 bin operator 21304 Feb 18 03:07 tosha* > %exit > > [beacon : r3cgm] ~ - fgrep operator /etc/group > operator:*:5:root,r3cgm Having tosha setgid is not necessary, since you're already in the operator group. In fact, it could represent a security risk if tosha is somehow exploitable. > [beacon : r3cgm] /usr/local/bin - ls -l /dev/xpt* /dev/pass* > crw-rw---- 1 root operator 31, 0 Feb 16 16:56 /dev/pass0 > crw-rw---- 1 root operator 31, 1 Feb 16 16:56 /dev/pass1 > crw-rw---- 1 root operator 31, 2 Feb 16 16:56 /dev/pass2 > crw-rw---- 1 root operator 31, 3 Feb 16 16:56 /dev/pass3 > crw-rw---- 1 root operator 104, 0 Feb 16 16:56 /dev/xpt0 > crw-rw---- 1 root operator 104, 1 Feb 16 16:56 /dev/xpt1 > > [beacon : r3cgm] ~ - tosha -i > Device: /dev/cd0c -- "PIONEER" "CD-ROM DR-U16S" "1.01" [ ... ] > Yay! I think we're good to go now. I'll email the /port maintainer > for tosha and see if I get the Makefile changed a bit. I would recommend against changing things. The tosha port works as-is, without modification. The default security policy should be: - binaries are not setuid or setgid - devices are chmoded 600 System administrators can then use group permissions on device nodes to control access to certain SCSI devices, or all SCSI devices. Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message