Ben Collins wrote:
> On Mon, Nov 16, 1998 at 04:30:02PM -0500, Peter S Galbraith wrote:
> > If we simply put users in group `disk',
> > this creates a security hole since they will have read-access to raw scsi
> > disks other than the zip and jaz disk.
>
> And having it suid root _doesn't_ give them even more access to read raw
> scsi devices as well as just about anything else on the system? I'm not
> sure about you, but i wouldn't want a fairly newly developed program to be
> suid on my system.
To be fair, jazip has existed (and has been used extensively) for _years_
now, so it's not new (only new to Debian).
> I think group disk was implemented for just this type of situation, and
> would work fine based on your description. Also it would not allow them
> access to disks which aren't jaz since you already said that it implements
> some sort of check for this.
Yes, jazip does check this. But if we add a user to the disk group, that
user gets read access to raw disk devices _outside_ of jazip, right? If we
don't do that, and leave jazip suid root to do its own security, then users
don't need nor do they get read-access to all raw disk devices (from which,
I assume, they could `dd' the contents over to a file and read files they
don't otherwise have access to).
Unless I'm missing something, I think that adding users to group disk is
bad. I think trusting jazip to be secure is a better solution. However,
the most secure thing to do would be to:
- create a new `jazip' group.
- put selected users in that group to use jazip.
- change the group ID of zip or jaz raw scsi device to `jazip' and make
it group `rw'.
This way, users do _not_ get read access to all raw disk devices.
Unless we are willing to do this, I think I should leave jazip suid-root.
> Plus if they are sitting in front of the
> system (which they need to be to use a zip drive) they have 'extended'
> access any way,
True...
> why make add another suid binary that isn't necessary?
Because adding users to the `disk' group is worse security. Or am I
missing something?
BTW, the jazip author is very open to discussing this. He very security
concious, has thought a lot about this, and has not received a suid-exploit
bug report since releasing this software.
Thanks for your interest, opinions and advice.
(Do I get final say as package maintainer? Or do suid-root binaries
require special permissions from Debian guru developers?)
--
Peter Galbraith, research scientist <[EMAIL PROTECTED]>
Maurice Lamontagne Institute, Department of Fisheries and Oceans Canada
P.O. Box 1000, Mont-Joli Qc, G5H 3Z4 Canada. 418-775-0852 FAX: 775-0546
6623'rd GNU/Linux user at the Counter - http://counter.li.org/
