Red Hat Bugzilla – Bug 110197
Make hard disk devices mode 0640?
Last modified: 2007-11-30 17:10:33 EST
Description of problem:
By default, hard disk device special files in /dev/ are created as
root:disk mode 0660 (writable by group "disk").
There doesn't appear to be anything actually using sgid disk AFAICT,
so group write access is not required. Can we change it to read-only
by group "disk?"
This would be useful for e.g., putting userid "operator" into group
"disk" for performing dumps. That id could then read from the disks,
but not write to them (providing a greater safety margin).
Note that /etc/dumpdates is already writable by group "disk" so the
operator userid would still be able to modify this file as intended.
Version-Release number of selected component (if applicable):
Making this change for 3.9.2-1.
This bug is not in FC3Blocker and it should be. It's a security issue
easy to fix :
I don't see that its a security issue per se - we don't ship suid
disk apps. I agree with the change however.
> I don't see that its a security issue
Check FC2, and /dev/hd* have rw access to group disk.
In fact, many other files have write access to group disk.
$ find /dev/ -group disk -perm -020 -print | wc
16256 16256 237802
But MAKEDEV have change between fc2 and fc3 :
diff 00macros.fc2 00macros.fc3
< =STORAGE 660 root disk
> =STORAGE 640 root disk
So, it's a udev or MAKEDEV bug.
I am wrong in comment #c5 .
According to MAKEDEV (from fc3) all devices with disk group should
have root:disk 640 permission. Not only /dev/hd*.