Description of problem: By default, hard disk device special files in /dev/ are created as root:disk mode 0660 (writable by group "disk"). There doesn't appear to be anything actually using sgid disk AFAICT, so group write access is not required. Can we change it to read-only by group "disk?" This would be useful for e.g., putting userid "operator" into group "disk" for performing dumps. That id could then read from the disks, but not write to them (providing a greater safety margin). Note that /etc/dumpdates is already writable by group "disk" so the operator userid would still be able to modify this file as intended. Version-Release number of selected component (if applicable): 3.3.8-2
Making this change for 3.9.2-1.
Reopening.
This bug is not in FC3Blocker and it should be. It's a security issue easy to fix : /etc/udev/permissions.d/50-udev.permissions - hd*:root:disk:660 + hd*:root:disk:640
I don't see that its a security issue per se - we don't ship suid disk apps. I agree with the change however.
> I don't see that its a security issue Check FC2, and /dev/hd* have rw access to group disk. In fact, many other files have write access to group disk. $ find /dev/ -group disk -perm -020 -print | wc 16256 16256 237802 But MAKEDEV have change between fc2 and fc3 : diff 00macros.fc2 00macros.fc3 9c9 < =STORAGE 660 root disk --- > =STORAGE 640 root disk So, it's a udev or MAKEDEV bug.
I am wrong in comment #c5 . According to MAKEDEV (from fc3) all devices with disk group should have root:disk 640 permission. Not only /dev/hd*.