>under solaris, scsi tape devices (/dev/rmt/*, which are linked to the st@x,x: >devs in /devices) are created with the permissions bits set to 666. this allows >a mallicious user with a login on your system to 'mt erase' the contents of any >tape devices connected to your system. > >solution: > >this is a tough one. i'll let you figure it out yourself. Instead of guessing shall I tell you the correct fix! The correct and recommend fix is to run bsmconv to turn on device allocation. This sets all of the device files for removable media devices such as tapes to 0000. A user who then wants to use a tape should then: allocate st0 insert tape into drive tar/ufs*/cpio/dd whatever remove tape from drive dealloate st0 The same applies to audio and cd devices, though the audio devices are better dealt with using /etc/logindevperm. If you are concerned about security on Solaris you should always run bsmconv to turn on auditing and device allocation and run ASET to ensure other perms etc are sorted out. I would recommend running /usr/aset/aset -l high -p -- Darren J Moffat
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:39 PDT