device protections under 4.8

device protections under 4.8

Post by Mike Sco » Sun, 22 Jun 2003 16:23:11



I'm not sure if something went wrong during the installation, but
under a new 4.8 system I've found the protections on /dev/mem, kmem,
stdin, stdout, stderr very restrictive.

In particular, mem & kmem were owned by root.wheel, with protection
0700, which effectively stopped, eg, "top" from working.  I've changed
those to be group kmem, and group-readable -- is this likely to open
up some gaping security hole?

Similarly, the protection on /dev/stdin (again 0700 iirc) annoys
tvtwm, which can't run m4 as it wishes, and I'm currently having to
use tvtwm -M

Has anyone else had these problems?  What should the
ownership/protections be?

TIA.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
regards. Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)  

 
 
 

device protections under 4.8

Post by Andrey Simonenk » Sun, 22 Jun 2003 16:38:54



> I'm not sure if something went wrong during the installation, but
> under a new 4.8 system I've found the protections on /dev/mem, kmem,
> stdin, stdout, stderr very restrictive.

> In particular, mem & kmem were owned by root.wheel, with protection
> 0700, which effectively stopped, eg, "top" from working.  I've changed
> those to be group kmem, and group-readable -- is this likely to open
> up some gaping security hole?

> Similarly, the protection on /dev/stdin (again 0700 iirc) annoys
> tvtwm, which can't run m4 as it wishes, and I'm currently having to
> use tvtwm -M

> Has anyone else had these problems?  What should the
> ownership/protections be?

First of all try to find out who and why made those changes.

Second, the /etc/MAKEDEV script can restore device files and set
owners and modes to default values: "MAKEDEV all".  I suggest
to backup previous content of the /dev directory (ls -l /dev),
before running the MAKEDEV script, this will allow you to
find devices files with changed owners and modes.

 
 
 

device protections under 4.8

Post by Mike Sco » Mon, 23 Jun 2003 05:04:20


On Sat, 21 Jun 2003 07:38:54 +0000 (UTC), Andrey Simonenko



...
>> In particular, mem & kmem were owned by root.wheel, with protection
>> 0700, which effectively stopped, eg, "top" from working.  I've changed
>> those to be group kmem, and group-readable -- is this likely to open
>> up some gaping security hole?

>> Similarly, the protection on /dev/stdin (again 0700 iirc) annoys
>> tvtwm, which can't run m4 as it wishes, and I'm currently having to
>> use tvtwm -M
...
>First of all try to find out who and why made those changes.

No-one, afaik.  The system is just about pristine, give or take a few
installed packages.

Quote:

>Second, the /etc/MAKEDEV script can restore device files and set
>owners and modes to default values: "MAKEDEV all".  I suggest
>to backup previous content of the /dev directory (ls -l /dev),
>before running the MAKEDEV script, this will allow you to
>find devices files with changed owners and modes.

I'll give that a whirl, thanks.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
regards. Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)  

 
 
 

device protections under 4.8

Post by Peter Billa » Mon, 23 Jun 2003 06:55:11




>> I'm not sure if something went wrong during the installation, but
>> under a new 4.8 system I've found the protections on /dev/mem, kmem,
>> stdin, stdout, stderr very restrictive.
>  ...
> Second, the /etc/MAKEDEV script can restore device files and set
> owners and modes to default values: "MAKEDEV all".  I suggest
> to backup previous content of the /dev directory (ls -l /dev),
> before running the MAKEDEV script, this will allow you to
> find devices files with changed owners and modes.

Sounds like the securelevel thing I ran into (15 May 2003)
I re-installed choosing standard security, and ended up wishing
that perhaps the dialog box that asks about security level ought
to mention not just sendmail and sshd but also all the other things
involved (17 May 2003) ...

Regards,  Peter Billam

--

Peter Billam       www.pjb.com.au      peter.billam at pjb.com.au
Original compositions, and arrangements of Bach, Schubert, Brahms...

 
 
 

1. correct name for tape-device in FreeBSD 4.8

Hello!
I am not shure which tape-device-name to use in FreeBSD 4.8
I have one SCSI-tape (a HP-compatible  DLT VS80-streamer)

There are:
sa0 (or sa0.0 for the first tapedevice)
rsa0
nsa0
nrsa0

I know - the "n" at the preceding means "nonerewinding"-device.
But what's with the "r"?

My second problem is: How to switch to "hardware-compression" on the
commandline using tar or similar?
Exacuting "mt -f /dev/nsa0.0 comp on" doesn't switch the compression on - I
still have only 40 GB on the tape.

With best regards from Vienna
Mark Schanovsky

2. Network auth switchoff

3. Upgrading to 4.8: buildworld fails

4. Advice Wanted: Ether 16 Lan Card by Linksys?

5. FreeBSD 4.8 & Gnome Display Manager

6. HOW TO MAKE APP DUMP CORE?

7. 4.8-R libc stdio backward binary compatibility

8. PPTP routing

9. mkdep.c error under Mandrake8.1-2.4.8

10. Documentation for FBSD 4.8

11. FreeBSD 4.8 and Samba 2.2.2.8a

12. 4.8-STABLE "Too many open files"

13. FBSD 4.8 - Setup X-Server - Nvidia Card