Re: only root has acces to /dev/mem ?

Rogier Wolff (R.E.Wolff@BitWizard.nl)
Tue, 14 Sep 1999 08:14:02 +0200 (MEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Lars Marowsky-Bree: "Re: netfilter plugin: antispoof"
Previous message: Pete Zaitcev: "mm/swapfile.c problem"
In reply to: Chris Jones: "RE: Throttling"

Alan Cox wrote:
> > sine i am using 2.2.12 i had no permissions to write on /dev/mem
> > i belong to the group kmem who has +rw on it i cann't write
> > when i chown it the user cann't still write on it
> > only root can??
> > was it a security bug or so??
>
> Tightening rather than anything else. You need the RAWIO capability to use
> /dev/mem or /dev/kmem. You can drop all other capabilities

Huh? Why would you require a capability when normal filesystem
permissions already work? I mean there used to be a whole lot of ioctls
and stuff that required "root", but now require a capability. Good.

So far the capabilities have always been "compatible", people who
don't care needn't care.

Ok, giving someone write access to /dev/mem effectively gives away
root access, but suppose we have a setuid-kmem(*) application that does
something specific with kmem. We don't want it to have filesystem
permissions associated with "root", so we make it setuid-kmem, and
give that user access to /dev/mem.

How do I make an application set-capability-rawio?

Roger.

(*) Or setgid. Whatever.

-- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* ------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Lars Marowsky-Bree: "Re: netfilter plugin: antispoof"
Previous message: Pete Zaitcev: "mm/swapfile.c problem"
In reply to: Chris Jones: "RE: Throttling"