Date: Sat, 14 Oct 1995 18:00:57 +1000 From: Bruce Evans <bde@zeta.org.au> To: CVS-commiters@freefall.freebsd.org, bde@freefall.freebsd.org, cvs-sys@freefall.freebsd.org Subject: Re: cvs commit: src/sys/i386/isa spigot.c Message-ID: <199510140800.SAA06283@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
> Modified: sys/i386/isa spigot.c > Log: > Don't allow i/o operations for non-root users. This change should probably be in 2.1. I'm not sure what the spigot driver and the encumbered libraries for it do, but they shouldn't be allowed to de-scure the rest of the system. /dev/spigot is created with owner root.wheel and permissions 444. This was previously a security hole. Now it is probably just bogus since probably only root will be able to use the device. Perhaps the correct fix was to change /dev/spigot to owner root.kmem permissions 440. Then it would be as (in)secure as /dev/io. Granting i/o permission is more dangerous than granting read-only permission for /dev/kmem, so there should be a separate group and stronger enforcement of kern.securelevel for it. /dev/mem should probably be in the same group, since reading device registers may cause output. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510140800.SAA06283>