Re: saned - Problem found

Terry Mackintosh (terry@terrym.com)
Thu, 8 Oct 1998 14:23:05 -0400 (EDT)

On Thu, 8 Oct 1998 becka@rz.uni-duesseldorf.de wrote:

> Hi !
>
> > Added both read and write for every one, changed the line in inet.conf
> > back to nobody.nobody, and all works well.
>
> Hmm - this isn't a very good solution, but ...

OK, I'm listening, what is a better solution?

This is the first time I have EVER had a scsi device, so I'm not real
familiar with all the in's and out's, the card is an Adaptec 2940 uw, the
scanner is an HP LaserJet 5p, w/ an uw scsi to scsiII adapter cable in the
middle, if all that matters.

I have a group called 'sys':
[root@home /etc]# grep sys group
sys::3:root,bin,adm

Should I run the scanner as nobody.sys? Then I could remove the
permissions for the world from /dev/sga, as the group is sys.

Thanks
Terry

> > So, prehaps there should be a note in the man page for saned that on a Red
> > Hat 4.2 box, the permissions on the scsi divice will need to be changed.
> >
> > Note, the only scsi device I have at this point is the scanner, if one
> > also has disks, then I do not know what security ramifications this might
> > have.
>
> Hmm - well this isn't good. Not even for single device. It depends on how well
> the device in question is designed.
>
> The point is, that you don't need to be afraid of someone accessing other
> devices (except if the hardware in question is a very weird thing that can
> initiate transfers), but that you can do about anything to the "open"
> device that is exposed by the world-rw-able /dev/sg?.
>
> This can cause the device to do about anything, sometimes (with bad devices)
> even things it shouldn't do, like crash, lock the bus, damage its hardware
> (yes, this is possible, if you know the device well - Mustek scanners can
> push the slider too far, many devices can have their firmware reprogrammed,
> so guess what happens if you write garbage in there ...), etc. ...
>
> CU,Andy
>
> --
> Andreas Beck | Email : <Andreas.Beck@ggi-project.org>
>
> --
> Source code, list archive, and docs: http://www.mostang.com/sane/
> To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com
>

Terry Mackintosh <terry@terrym.com> http://www.terrym.com
sysadmin/owner Please! No MIME encoded or HTML mail, unless needed.

Proudly powered by R H Linux 4.2, Apache 1.3, PHP 3, PostgreSQL 6.3
-------------------------------------------------------------------
Success Is A Choice ... book by Rick Patino, get it, read it!

--
Source code, list archive, and docs: http://www.mostang.com/sane/
To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com