On Thu, 16 Sep 2004, Jason T. Miller wrote:
I presume at least some supported OSes provide the ability to assign
permissions to SCSI passthrough on a per-SCSI device basis, so his
statement to
Never give write permissions for non root users to the
/dev/scg? devices unless you would allow anybody to read/write/format
all your disks.
is a bit misleading. It's certainly true if you interpret /dev/scg? as a
shell wildcard, but why can't I give permissions for non-root users to the
writable optical devices only, instead of "all [my] disks"?
At this point trusting the kernel to enforce different permissions
on different scsi devices is probably better than trusting cdrecord,
but your suggestion is (only) as good as the kernel's ability to
sanitize scsi requests. If I can send a SCSI request down the SCSI
bus I have the opportunity to exploit any hole in that subsystem.
I belive at one time the kernel wasn't trusted to stop a malicious
user from generating a SCSI request which was received by a different
device than the one the kernel was told was the target.
Since most CD writers are ide-scsi, the scsi permissions enforcer
needs to sanitize requests as they will appear once translated into IDE
requests, making the problem harder still.
As I say this may well be less of a problem than trusting cdrecord,
but if I were the author of cdrecord but not the kernel I wouldn't
guarantee the safety of the kernel on this (although I might not
declare it unsafe).
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna
