[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: security vs. usability
From:       Jason Stephenson <panda () mis ! net>
Date:       2001-02-07 3:50:22
[Download RAW message or body]

On Tuesday 06 February 2001 03:44, Alex Zepeda wrote:
> On Mon, Feb 05, 2001 at 09:33:08PM -0500, Jason Stephenson wrote:
> > Before you ban all suid applications in the KDE libs, know that there is
> > one application that absolutely must run set uid root or in a root shell.
> > The app in question is nostraburnit. Nostraburnit calls cdrecord which
> > *must* run as root in order to do what it does with the SCSI bus. If I'm
> > not mistaken, it even has to be run with the user being root, and not
> > just as a suid.
>
> So, you couldn't change the permissions on the target device node?
>
> - alex

Alex,

Do you burn CDs with cdrecord? It's not enough to change permissions on the 
device. cdrecord MUST run AS ROOT in order to do what it does to the SCSI 
bus, not just according to me, but according to its documentation. If you run 
it as another user, regardless of permission on the device, it tells you that 
you have to run as root for it to work properly. Behold:

jason@casanova:~$ ls -l /dev/scd0
brwxrwxrwx   1 root     disk      11,   0 Jul 18  1994 /dev/scd0
jason@casanova:~$ cdrecord -scanbus
Cdrecord 1.8.1 (i686-pc-linux-gnu) Copyright (C) 1995-2000 Jörg Schilling
cdrecord: Permission denied. Cannot open '/dev/sg0'. Cannot open SCSI driver.
cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are 
root.
jason@casanova:~$ su
Password:
root@casanova:/home/jason$ cdrecord -scanbus
Cdrecord 1.8.1 (i686-pc-linux-gnu) Copyright (C) 1995-2000 Jörg Schilling
Using libscg version 'schily-0.1'
scsibus0:
        0,0,0     0) 'PLEXTOR ' 'CD-R   PX-W1210A' '1.07' Removable CD-ROM
        0,1,0     1) *
        0,2,0     2) *
        0,3,0     3) *
        0,4,0     4) *
        0,5,0     5) *
        0,6,0     6) *
        0,7,0     7) *
root@casanova:/home/jason$
      
Change permissions on /dev/sg0 and you're told you can't open /dev/sg1 and so 
on.

Even if changing permissions on all the devices would work, then I'd have to 
include instructions with nostraburnit to tell the user how to do that on 
every OS that nostraburnit get compiled on. It's far easier just to tell them 
to run it as root.

Besides, having the permissions changed on all the devices is no better than 
running nostraburnit as root, then, is it? In fact it's worse, 'cause now any 
user can walk all over your devices and your SCSI bus. With nostraburnit 
running as root, you only have a vulnerability in that one application, not 
on your whole system!

I am personally adding the CD burning code to nostraburnit, so I can 
personally vouch for its "security." :-)

I understand all the paranoia about running things as root. I do this stuff 
for a living. I just think some of you are going a little far by not allowing 
suid apps. I mean if you really want to be paranoid about security, then you 
don't install binary software. You compile everything from source after 
scanning every line of code for any dubious operations. 

I know this particular reply is more specific than some of the general 
discussion in this thread. I still stand by my statement that there are times 
when suid applications are the best way to go. In most cases, I'd rather run 
one or two apps as root than have all the devices on my system open to 
tampering by regular users.

Cheers,
Jason

[prev in list] [next in list] [prev in thread] [next in thread]