Bugtraq mailing list archives
Re: solaris tape dev permission stupidity
From: Tobias.Kreidl () NAU EDU (Tobias J. Kreidl)
Date: Fri, 23 Oct 1998 11:24:10 -0700
Darren J Moffat wrote:
Instead of guessing shall I tell you the correct fix! The correct and recommend fix is to run bsmconv to turn on device allocation. This sets all of the device files for removable media devices such as tapes to 0000. A user who then wants to use a tape should then: allocate st0 insert tape into drive tar/ufs*/cpio/dd whatever remove tape from drive dealloate st0 The same applies to audio and cd devices, though the audio devices are better dealt with using /etc/logindevperm. If you are concerned about security on Solaris you should always run bsmconv to turn on auditing and device allocation and run ASET to ensure other perms etc are sorted out. I would recommend running /usr/aset/aset -l high -p
Another alternative for those who want to severely restrict access to *any* tape drive is to chmod the directory of the device, and chgrp it accordingly to permit access to only a restricted number of users. As an example, a startup script in /etc/init.d might contain the following to deal with a DLT: if [ -d /devices/pci@6,4000/pci@4/SUNW,isptwo@4 ] then # tape drive (DLT), CPI slot #1, unit 4 /usr/bin/chmod 750 /devices/pci@6,4000/pci@4/SUNW,isptwo@4 /usr/bin/chgrp tapedev /devices/pci@6,4000/pci@4/SUNW,isptwo@4 fi and just add your list of allowed uses to the "tapedev" in the/etc/group file. Of course, one could still use the allocate/deallocate functions from the bmsconv/C2 package in addition to this. -- Tobias J. Kreidl Northern Arizona University / Information technology Services
Current thread:
- solaris tape dev permission stupidity joshua grubman (Oct 21)
- Re: solaris tape dev permission stupidity Michael R. Eckhoff (Oct 21)
- Re: solaris tape dev permission stupidity Casper Dik (Oct 22)
- Vulnerability in IRIX autofsd SGI Security Coordinator (Oct 22)
- CDE for Linux Susan Carney (Oct 22)
- Re: CDE for Linux bandregg () REDHAT COM (Oct 23)
- New SMAP + SASL + SSL Patches available. MacGyver (Oct 22)
- <Possible follow-ups>
- Re: solaris tape dev permission stupidity Robert Thomas (Oct 21)
- Re: solaris tape dev permission stupidity Darren J Moffat - Enterprise Services OS Product Support Group (Oct 22)
- Re: solaris tape dev permission stupidity Tobias J. Kreidl (Oct 23)