From owner-freebsd-security  Sat Sep 25 19: 0:33 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id E8D9914FE5
	for <freebsd-security@FreeBSD.ORG>; Sat, 25 Sep 1999 19:00:30 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA48170;
	Sat, 25 Sep 1999 22:03:23 -0400 (EDT)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: dump(8) Insecurity/Misconfiguration
In-Reply-To: <199909260034.RAA59356@apollo.backplane.com> from Matthew Dillon at "Sep 25, 1999 05:34:14 pm"
To: dillon@apollo.backplane.com (Matthew Dillon)
Date: Sat, 25 Sep 1999 22:03:23 -0400 (EDT)
Cc: freebsd-security@FreeBSD.ORG
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matthew Dillon wrote,

[snip helpful answers, thanks]

> :2) Will it break anything if I clear the group read bit on the disk
> :   devices? 
> 
>     If you never run dump or you only run it as root, you will not break
>     anything by removing the group read bit from the devices.

I am used to only doing it as root since the manpage says,

    "Dump cannot do remote backups without being run as root, due to its secu-
     rity history.  This will be fixed in a later version of FreeBSD. Present-
     ly, it works if you set it setuid (like it used to be), but this might
     constitute a security risk."

And I often do dumps to tape drives that are not local.

> :3) dump(8) is setgid to group tty. Why?
> 
>     This is so dump can write to the terminal of all users in group operator,
>     which is normally just root and the oprator, when you use the -n option.

Hmmm... So if I am running as root anyway... And I don't use
'-n'... This setgid really is not giving me anything.

Thanks again for the helpful answers.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message