[8279] in bugtraq
Re: solaris tape dev permission stupidity
daemon@ATHENA.MIT.EDU (Tobias J. Kreidl)
Fri Oct 23 23:45:06 1998
Date: Fri, 23 Oct 1998 11:24:10 -0700
Reply-To: "Tobias J. Kreidl" <tjk@jan.ucc.nau.edu>
From: "Tobias J. Kreidl" <Tobias.Kreidl@NAU.EDU>
To: BUGTRAQ@NETSPACE.ORG
Darren J Moffat wrote:
>
> Instead of guessing shall I tell you the correct fix!
>
> The correct and recommend fix is to run bsmconv to turn on device
> allocation. This sets all of the device files for removable media devices
> such as tapes to 0000. A user who then wants to use a tape should then:
>
> allocate st0
> insert tape into drive
> tar/ufs*/cpio/dd whatever
> remove tape from drive
> dealloate st0
>
> The same applies to audio and cd devices, though the audio devices
> are better dealt with using /etc/logindevperm.
>
>
> If you are concerned about security on Solaris you should always
> run bsmconv to turn on auditing and device allocation and run ASET
> to ensure other perms etc are sorted out. I would recommend running
> /usr/aset/aset -l high -p
>
Another alternative for those who want to severely restrict
access to *any* tape drive is to chmod the directory
of the device, and chgrp it accordingly to permit access to only
a restricted number of users. As an example, a startup script
in /etc/init.d might contain the following to deal with a DLT:
if [ -d /devices/pci@6,4000/pci@4/SUNW,isptwo@4 ]
then
# tape drive (DLT), CPI slot #1, unit 4
/usr/bin/chmod 750 /devices/pci@6,4000/pci@4/SUNW,isptwo@4
/usr/bin/chgrp tapedev /devices/pci@6,4000/pci@4/SUNW,isptwo@4
fi
and just add your list of allowed uses to the "tapedev" in
the/etc/group file. Of course, one could still use the allocate/deallocate
functions from the bmsconv/C2 package in addition to this.
-- Tobias J. Kreidl
Northern Arizona University / Information technology Services
