Re: saned - Problem found

becka@rz.uni-duesseldorf.de
Thu, 8 Oct 1998 17:23:44 +0200 (MET DST)

Hi !

> Added both read and write for every one, changed the line in inet.conf
> back to nobody.nobody, and all works well.

Hmm - this isn't a very good solution, but ...

> So, prehaps there should be a note in the man page for saned that on a Red
> Hat 4.2 box, the permissions on the scsi divice will need to be changed.
>
> Note, the only scsi device I have at this point is the scanner, if one
> also has disks, then I do not know what security ramifications this might
> have.

Hmm - well this isn't good. Not even for single device. It depends on how well
the device in question is designed.

The point is, that you don't need to be afraid of someone accessing other
devices (except if the hardware in question is a very weird thing that can
initiate transfers), but that you can do about anything to the "open"
device that is exposed by the world-rw-able /dev/sg?.

This can cause the device to do about anything, sometimes (with bad devices)
even things it shouldn't do, like crash, lock the bus, damage its hardware
(yes, this is possible, if you know the device well - Mustek scanners can
push the slider too far, many devices can have their firmware reprogrammed,
so guess what happens if you write garbage in there ...), etc. ...

CU,Andy

-- 
Andreas Beck              |  Email :  <Andreas.Beck@ggi-project.org>

--
Source code, list archive, and docs: http://www.mostang.com/sane/
To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com