(was: Re: PATCH: cdrecord: avoiding scsi device numbering for idedevices)
From: John Myers
Date: Tue Aug 31 2004 - 17:31:48 EST
Christer Weinigel wrote:
Pascal Schmidt <der.eremit@xxxxxxxx> writes:
[...] if I have write permisson to a CD burner, being able to
burn a coaster by issuing strange commands is something I expect.
Being able to destroy the firmware of the drive is not something I
expect a normal user to be able to do.
There are at least three conflicting goals here:
1. Only someone with CAP_SYS_RAWIO (i.e. root) should be able to do
possible destructive things to a device, and only root should be
able to bypass the normal security checks in the kernel (e.g. get
access to /dev/mem since access to it means that you can read and
modify internal kernel structures).
2. A Linux system should have as few suid root binaries as possible.
3. A normal user should be able to perform most tasks without needing
root.
I hope this is not a stupid idea:
I propose a finer-grained approach to suid-root binaries. Perhaps,
instead of having a single flag giving the binary all the rights and
responsibilities of its owner, there could be a table/list/something of
capabilities which we want to grant to the binary. This, of course,
would be a privileged operation (perhaps a new capability?).
For example, we might want to grant cdrecord CAP_SYS_RAWIO. This way, we
don't have to worry about cdrecord running as root and not dropping all
the capabilities it doesn't need, by accident or by malice.
Further, and I realize that this would probably require major
restructuring, perhaps there could be another field: for each capability
we want to grant, a method to specify _where_ the binary can use that
capability.
To extend the previous example: we might want to give cdrecord
CAP_SYS_RAWIO just on, say, /dev/burner0 and /dev/burner1, but not
/dev/hda. That way, some typo won't have us trying to burn cds with our
hard disks.
Again, I hope it's not a stupid idea. I don't have a working
implementation, and I'm not even sure if it's even possible, but it's a
thought.
--
electronerd (jonathan s myers)
code poet and recycle bin monitor
programmer, monolith3d.com
Attachment:
signature.asc
Description: OpenPGP digital signature