Re: Default: unsecure

To:	devfs@xxxxxxxxxxx
Subject:	Re: Default: unsecure
From:	Robert Siemer <Robert.Siemer@xxxxxx>
Date:	Thu, 20 Sep 2001 18:47:15 +0200
In-reply-to:	<200109201531.f8KFVbP02796@xxxxxxxxxxxxxxxxxxxxxxxx>
References:	<20010920170320N.siemer@xxxxxxxxxxxxxxxxxx> <200109201531.f8KFVbP02796@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender:	owner-devfs@xxxxxxxxxxx

From: Richard Gooch <rgooch@xxxxxxxxxxxxxxx>
> Robert Siemer writes:

> > Is there any reason to let the default permissions so unrestictive??
> > E.g. line printer and scsi tape are world read-/writeable by default!
> 
> Of course. Convenience.
> 
> > Here you need to change them anyway, so it would be very reasonable
> > to start with root.root 600.
> 
> What do you mean "here you need to change them anyway"?

Okay, in an insecure scenario you don't need to change permissions...
(-:

> > Okay, it's not the fault of devfs core, but why are drivers
> > registering their nodes this way?
> 
> Convenience. Is there a real problem with the relaxed default? On
> most Unix systems I've used, the tape devices are rw-rw-rw-.

Most Unix systems I've used had root exploits which you can get from
securityfocus.com. (-:  That's not the point.

I think you know pam_console. In my opinion the idea behind
pam_console is very powerful and needed. The distinction between net
users and local users is a must on a standard workstation as devices
like sound, video, removeable medias (especially writable ones) need
protection from net users. Otherwise local users cant use these
without possible interference from net users with can log in the same
time.

When no distinction is made (kernel treats net users the same as local
users) you have to choose a strict default to get a secure
environment.

On a one user machine: log in as root... [-:

> The sysadmin does not want to be bothered by user requests "can you
> please give me access to the tape drive so I can back up my data?".

Backup should be the task of the admin! And here we go: on
panorama.hadiko.de I put all backups (system and homes) on
tape. There are no local users except for me. Most of the users
(including me) want to have a backup one the safe side while the tape
is in the drive!

To make a system insecure is an easy task. I can help the instance
"sysadmin" here: 
$ chmod -R go+rw /dev

Why should I and all the other "real" sysadmin be _bothered_ by
insecure defaults? It's already hard enough to double check every step
to _stay_ in a secure system...

Further I've never seen a user backing up their data... <-:

The same is true for the printer: as I don't get paper for free nobody
should circumvent my printer policy by using the device directly.

Regards,
                Robert

<Prev in Thread]	Current Thread	[Next in Thread>
Default: unsecure, Robert Siemer Re: Default: unsecure, Richard Gooch Re: Default: unsecure, Robert Siemer <= Re: Default: unsecure, Richard Gooch Re: Default: insecure, Robert Siemer Re: Default: insecure, Pascal Bourguignon Re: Default: insecure, Richard Gooch Re: Default: insecure, Pascal Bourguignon Re: Default: insecure, Roberto Jung Drebes Re: Default: insecure, Richard Gooch

Previous by Date:	Re: Questions, Chris Jones
Next by Date:	Re: Default: unsecure, Richard Gooch
Previous by Thread:	Re: Default: unsecure, Richard Gooch
Next by Thread:	Re: Default: unsecure, Richard Gooch
Indexes:	[Date] [Thread] [Top] [All Lists]