[8259] in bugtraq
Re: solaris tape dev permission stupidity
daemon@ATHENA.MIT.EDU (Darren J Moffat - Enterprise Servi)
Fri Oct 23 17:18:05 1998
Date: Thu, 22 Oct 1998 09:17:57 +0100
Reply-To: Darren J Moffat - Enterprise Services OS Product Support Group <darren.moffat@UK.Sun.COM>
From: Darren J Moffat - Enterprise Services OS Product Support Group <darren.moffat@UK.SUN.COM>
X-To: jg@FALSE.NET
To: BUGTRAQ@NETSPACE.ORG
>under solaris, scsi tape devices (/dev/rmt/*, which are linked to the
st@x,x:
>devs in /devices) are created with the permissions bits set to 666. this
allows
>a mallicious user with a login on your system to 'mt erase' the contents of
any
>tape devices connected to your system.
>
>solution:
>
>this is a tough one. i'll let you figure it out yourself.
Instead of guessing shall I tell you the correct fix!
The correct and recommend fix is to run bsmconv to turn on device
allocation. This sets all of the device files for removable media devices
such as tapes to 0000. A user who then wants to use a tape should then:
allocate st0
insert tape into drive
tar/ufs*/cpio/dd whatever
remove tape from drive
dealloate st0
The same applies to audio and cd devices, though the audio devices
are better dealt with using /etc/logindevperm.
If you are concerned about security on Solaris you should always
run bsmconv to turn on auditing and device allocation and run ASET
to ensure other perms etc are sorted out. I would recommend running
/usr/aset/aset -l high -p
--
Darren J Moffat
