Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices

[David Greaves]

Marc Ballarin wrote:

> On Sat, 21 Aug 2004 07:58:03 +0100
> David Greaves <david@xxxxxxxxxxxx> wrote:
>
>  
>
> > Can someone explain why it isn't anyone with _write_ access to the
> > device? Surely it's better to drop a user into a group or setgid a
> > program?
> >
> > If I have write access to a device then I can wipe it's media anyway.
> > Is there something I'm missing?
> >
> >    
>
> With RAW_IO access you cannot only wipe the media, but the entire
> firmware (not only wipe it, but also upload a malicious version that will
> screw up the entire SCSI or IDE bus).
>
> Andreas Messer and I are working on an improved filter that works per
> device and is configurable from userspace. It's not easy though.
>  
Thanks - I get that :)

The 'write' point is that from a data perspective you've already lost 
your data (which is the most valuable thing from a security perspective).
I agree it's nice to give people write access to hardware and not let 
them melt it permanently. However, if the semantics don't allow 'safe' 
writing then prevent all user writing and use setgid for safe programs 
(which is essentially what you are doing anyway) to allow users to write.

So, the real point: principle of least privilege.
Why root? why not set[gu]id cdwriters?

David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/