On Mon, 2002-12-09 at 16:51, Pigeon wrote: > On Mon, Dec 09, 2002 at 04:13:50AM +0100, Carel Fellinger wrote: > > On Mon, Dec 09, 2002 at 12:20:38AM +0000, Chris Owen wrote: > > > Haralambos Geortgilakis wrote: > > ... > > > Try running (as root) > > > chmod ugo+rwx /dev/cdrom > > > > I think it's ill advice, not worthy of this list --sory for the rant, > > it's not personally, it's just that you're not the first to give such > > nonsensical advice, it seems that it's even a favourite one lately:(-- > > , to advice people to mess with those flags where the proper way is to > > add users to specific groups. In this case the cdrom group. And > > whilst the OP is add it, he might as well check he's in the audio group > > too. > > Re groups: he did... > > Why is this advice nonsensical, though? As you say, several people > have given it recently. Rather fewer people have responded, as you did, > saying it's a bad idea. Nobody has explained WHY it's a bad idea. What > harm does it do if the world and his dog can read my CD-ROM? > > Pigeon
I remember a couple decades ago how there were more than a few *backdoors* in the Unix code to allow system configuration and access for programmers/administrators that knew about them and needed to make special tweaks. They were holes that were acknowledge early on as the first target if Unix were to be firmed up to be commercially viable, particularly for business and government environments. Part of that firming was putting everything under group and user security, and only advancing security access when absolutely necessary. This is the theory involving switching ownership/access to devices. If you need access to something for justifiable reasons, you get added to the group that uses it. If not, you aren't in that group. I allow outside access to a few people for my system - a couple use it for email, and one for a personal website for her relatives a third of the way around the world to see pictures of her kids and for those relatives to log in and leave messages for the kids. None of these users have a need to muddle around on my cdrom or cd-burner, or send audio to my sound card. Moreover, they don't need to access my spare hard drive that I'm currently using to reduce space pressure while organising what I can move offline of some reports. Moreover, if someone does hack my system as an account other than root, I can have substantive areas inaccessible through hardened permissions. Mind you, I would love to have ACLs with an eye on tools and configurations such as disallowing access to /sbin and /usr/sbin from locations outside my server site, and not permit any other than selected users (eg. myself) to see what is under /dev, given I use devfs, which indicates *just what* is installed. Those with permissions to use this or that device could still do that, but the risk of them getting through to say, overwrite a floppy that might be sitting in a drive (shouldn't happen, unless the permissions for the device got buggered about) would be substantively reduced. Permissions are there for a reason, and weakening something so that you can get around a protection in the security system to use something because you don't know the way to reasonably access that item securely opens you up to the sort of damage that Windows users come to expect when they are infected with a virus. -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
