From owner-freebsd-scsi Sun Feb 21 17:50:18 1999 Delivered-To: freebsd-scsi@freebsd.org Received: from mail.nacamar.de (mail.nacamar.de [194.162.162.200]) by hub.freebsd.org (Postfix) with ESMTP id C3A6A115B4 for ; Sun, 21 Feb 1999 17:50:15 -0800 (PST) (envelope-from rohrbach@mail.nacamar.de) Received: (from rohrbach@localhost) by mail.nacamar.de (8.8.7/8.8.8MB-19980212) id CAA12481; Mon, 22 Feb 1999 02:49:59 +0100 (CET) Message-ID: <19990222024959.D12320@nacamar.net> Date: Mon, 22 Feb 1999 02:49:59 +0100 From: "Karsten W. Rohrbach" To: "Kenneth D. Merry" Cc: dwmalone@maths.tcd.ie, r3cgm@cdrom.com, freebsd-scsi@FreeBSD.ORG Subject: Re: Unusual CAM Error w/FreeBSD 3.1 (tosha) Reply-To: rohrbach@nacamar.net Mail-Followup-To: "Kenneth D. Merry" , dwmalone@maths.tcd.ie, r3cgm@cdrom.com, freebsd-scsi@FreeBSD.ORG References: <19990219132746.A4754@nacamar.net> <199902191758.KAA03342@panzer.plutotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199902191758.KAA03342@panzer.plutotech.com>; from Kenneth D. Merry on Fri, Feb 19, 1999 at 10:58:45AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-Sender: rohrbach@nacamar.net X-Organisation: Nacamar Data Communications GmbH X-Address: Robert-Bosch-Str. 32, 63303 Dreieich, Germany X-Phone: vox: +49 6103 993 870 fax: +49 6103 993 199 Sender: owner-freebsd-scsi@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org so maybe someone is willing to "invent" a joe user safe system for automagically chmoding this stuff kinda (okay please dont hurt me) windows nt style ("fixing system permissions") in a way more transparent way. it could serve as a kind of tripwire-lite for looking after suid/sgid binaries, some kind of system security manager for the userland. this would increase popularity in my opinion. freebsd installation and everything gets easier and easier all the time, but running system management is still limited to 'vi /etc/something' which, imho, keeps freebsd on the second choice place for internet-newbie-but-me-wants-no-windoze-server people ;-) if you look at yast (suse linux) or the redhat tools, they are a nice attempt but not really a choice for everyday use, so maybe the freebsd community comes up with something better :) /k Kenneth D. Merry (ken@plutotech.com) @ Fri, Feb 19, 1999 at 10:58:45AM -0700: > Karsten W. Rohrbach wrote... > > definately, but also some of the "hook-devs" in /dev like xpt? for example > > should be root.operator and mode 660 or root.wheel or whatever. if theres no > > standardization in the next time, a lot of audio/multimedia packages will > > grow wild with suid executables where we wont need/want them i guess - and > > theres no harder pain in the ass than defect hardware and suid binaries. > > The xpt and pass devices are owned by root.operator, just like disk > devices. > > They are quite intentionally chmoded 600 by default. The reason for that > is that you can use the pass device at least to reformat hard disks and > things like that, so it should default to being very secure, and sysadmins > can selectively reduce the security if they want. > > For my own machines, I chmod the xpt and pass devices 660, and put myself > in the operator group. So I can use camcontrol, tosha, etc., without having > to su or make the binaries setuid. > > I can sympathize with the desire to make things easier for Joe User to use > the xpt/pass devices, but I would rather not compromise security to do it. > > As far as I know, none of the applications that currently use the xpt/pass > devices are installed setuid. So access policies are determined by how the > system administrator chmods the files in /dev. > > > David Malone (dwmalone@maths.tcd.ie) @ Fri, Feb 19, 1999 at 12:18:51PM +0000: > > > > > %ls -l tosha > > > > > -rwsr-xr-x 1 bin bin 21304 Feb 18 03:07 tosha > > > > > > Surely suid bin isn't going to be very useful to tosha? > > > Shouldn't it be suid root or sgid operator or something? > > > > > Argh!! I didn't see that! Christopher, that's your problem. The binary > was setuid bin, but /dev/xpt* and /dev/pass* are owned by root. So setuid > bin won't do you any good. > > Ken > -- > Kenneth Merry > ken@plutotech.com -- "The path of excess leads to the tower of wisdom." -- W. Blake http://www.nacamar.de - http://www.nacamar.net - http://www.webmonster.de http://www.apache.de - http://www.quakeforum.de - finger rohrbach@nacamar.net PGP Key fingerprint = F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-scsi" in the body of the message