On Thursday 30 April 2009 06:35:51 am James Knott wrote:
As I mentioned, I am not a member of disk, though my comment about
joining the group is valid for other devices. I currently have a CD
mounted and the permissions are: dr-xr-xr-x 6 jknott root 2048
2007-03-28 15:06 LJ-1994-2006. So I apparently "own" the mounted CD
with read & execute permissions.
James,
problem is when user join disk group it is the same as being root, there is no
difference in access permissions.
As member of group users you can't write direct to disk, as member of group
disk you can.
Million times explained system protection trough limited access is effectively
removed. Misbehaving application/script will not fail if it attempts to write
to /dev/ and user can have his music written direct to the disk,
although, nothing will read the disk after that.
The only way is to have set ACL as it is for:
crw-rw----+ 1 root disk 21, 2 Apr 29 15:23 /dev/sg2
brw-rw----+ 1 root disk 11, 0 Apr 29 15:23 /dev/sr0
note + after permissions.
That was set wrong in released version, but patch was published short after,
and all that Duane has to do is to apply patch ie. run online updates.
Now his system is protected only from good applications that check user ID
before they run, all other can wipe of his disks, or do any other damage.
I commented, not because I'm worried about you, you are old Linux user, but
Duane, and all other that will find this mail interchange trough Google, and
applying advice turn their nice Linux box in something like Win 98.
--
Regards, Rajko
http://news.opensuse.org/category/people-of-opensuse/
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org